How do I block every connection except vpn and ssh without endangering the state of my vps?
Here's a tutorial: https://help.ubuntu.com/community/IptablesHowTo
To summarise:
# Allow packets for existing connections (this is required for replies
# from the internet to connections you initiate from the vps):
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow connecting to SSH, the established session is handled above:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow connecting to the VPN server, assuming default OpenVPN w/ TCP:
iptables -A INPUT -p tcp --dport openvpn -j ACCEPT
# Does anybody need to ping you? If you never want to do that:
# iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
#
# (Almost) All other ICMP is important, don't bother trying to make exceptions:
iptables -A INPUT -p icmp -j ACCEPT
# If you run OpenVPN in UDP mode, want to run traceroute to yourself,
# or use NFS over UDP, accept them here. Remember to explicitly allow replies,
# for services you access.
# Drop everything else. Two ways to do this:
# The common catch-all rule, which makes adding rules later harder
# (need to "-I"nsert instead of "-A"ppend; order matters!):
# iptables -A INPUT -j DROP
#
# Alternatively, set the default policy:
iptables -P INPUT DROP
However, I'm not sure what that buys you. The scan packets will enter your network interface anyway, so you only save the outbound "nothing listening on this port" replies (if something is listening: if you don't need it, turn it off, and if you do, you need to allow access anyway), and with a few ports open, you're not going to be invisible anyway.
Still, good luck. Remember that it's easy to lock yourself out accidentally, and proceed with care.
Related videos on Youtube
10 : 07
05 : 26
08 : 30
10 : 06
02 : 26
yarun can
Updated on September 18, 2022Comments
-
yarun can over 1 year
I have some vps space but I get alot of scans based on what I see in iftop. I tried some iptables stuff but it gets tiring and useless to put all the ips that I see in the logs. I am wondering about the best way to ensure that I can get steady connection to my vps while keeping pretty much everything off until I want to enable via iptables./
At the moment I have Debian and I have running active Vpn and Ssh on it. I would like the bare bones essential stuff+vpn+ssh accepting incoming and outgoing connections, and the rest can stay out of my front yard.
Basically I am looking for a list of commands that can work with Debian. i tried bunch of stuff based on what I saw on the net. Some stuff threw error, some got me confused. Anyways I was able to couple things work like accepting connections on vpn. I just need a clear list I guess.
I do not need to define single ip that is responsible for the connections, so ports would do it for me. I can add the ip destinations later myself.
thanks
-
cybernard over 10 yearsIf ESTABLISHED,RELATED accept the connection. You can make a list of the good ports and do an inverse block. If port are not ##,###,###,or ### DROP and protocol is ???
-
