How can I allow ssh connection from an IP subnet on port 10022 using iptables?

networking ssh firewall iptables
13,645

Use the -s option of iptables. It accepts an IP of the form nnn.nnn.nnn.nnn or with a mask (nnn.nnn.nnn.nnn/nnn.nnn.nnn.nnn or nnn.nnn.nnn.nnn/nn). So to allow for example connections from nnn.nnn.nnn.* you can write

iptables -A INPUT -s nnn.nnn.nnn.0/255.255.255.0 -i em1 -p tcp --dport XXXXX -m state --state NEW,ESTABLISHED -j ACCEPT

or

iptables -A INPUT -s nnn.nnn.nnn.0/24 -i em1 -p tcp --dport XXXXX -m state --state NEW,ESTABLISHED -j ACCEPT

(see for example here for netmask calculation)

If you cannot create a netmask, then I'm afraid you will have to duplicate the rule for each of the IP addresses you want to allow to connect to your server.

In general, though, I never found working with iptables directly very nice, one can quickly loose the overview. I'd probably go for something like shorewall.

Share:
13,645

Related videos on Youtube

Mike
Author by

Mike

Updated on September 18, 2022

Comments

  • Mike
    Mike over 1 year

    I need to set up a server with public IP for bandwidth testing, and I already have a script to drop all incoming traffic except for the ports I need. I have changed the ssh port from default (22) to another one (let's call it XXXXX; sorry for the paranoia but we just got hacked last week).

    So my question is how can I allow a range of IP's to ssh into the server through that specific port?

    The script I mentioned earlier:

    iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i em1 -p tcp --dport XXXXX -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o em1 -p tcp --sport XXXXX -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o em1 -p tcp --dport XXXXX -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i em1 -p tcp --sport XXXXX -m state --state ESTABLISHED -j ACCEPT

    So I just need to add the ip range so that I can ssh remotely.

  • 0xC0000022L
    0xC0000022L almost 10 years
    If you lose the overview it means likely you're doing it wrong. ipset is, for example, an awesome way of staying on top of the complexity, while giving symbolic names to whole sets of IPs, networks or ports or interfaces or combinations of the former and speeding up processing compared to adding individual rules instead of referencing an IP set.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Block China with iptables
Ubuntu IPTables allow only allow 1 country
Accessing LDAP through SSH tunnel
Correct way to masquerade IP in iptables
SSH connection timed out externally, but works internally
iptables allow just internet connection
How to configure iptables file to allow only specific ipaddress on all port and deny all other ipaddress?
Can't ssh into server, connection refused
Help! My server has been hacked - .IptabLes and .IptabLex in /boot
ufw firewall deny outgoing but allow browser