Iptables: Block all countries except my own for specific port

linux security firewall iptables configuration

6,008

Daniel,

Your probably going to want something along the lines of this. This is just cut directly from my /etc/sysconfig/iptables file on Red Hat.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.1.1.0/24 -p tcp -m multiport --dports 22,80,443,5666 -j ACCEPT
-A INPUT -s 10.2.2.2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT

As you can see, the default policy for input is drop. So you don't have to do any specific drop rules. You only have to say what you want to allow. In my example, I have shown where you can do multiple protocols for 1 rule or just a single protocol for 1 rule.

Edit: Below is an example script you can use to create your iptable rules.

#!/bin/bash
# Iptables configuration script

# Flush all current rules from iptables
/sbin/iptables -F

# Loopback address
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Allowed any established connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow FTP and SSH from specific IPs
/sbin/iptables -A INPUT -s 10.0.2.0/24 -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT

# Allow pings from monitoring server
/sbin/iptables -A INPUT -s 1.1.1.1 -p icmp -m icmp --icmp-type any -j ACCEPT

# Allow web server access from anywhere
/sbin/iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Drop rules to prevent them from entering the logs
/sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP

# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "

# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Save settings
/sbin/service iptables save

# List rules
/sbin/iptables -L -v

6,008

Daniel Marschall

Updated on September 18, 2022

Comments

Daniel Marschall over 1 year
I would like to block all IPs (CIDR 0.0.0.0/0) except for German IPs for the SSH, FTP and SMTP ports. So, the default policy for those ports should be "DROP". I have a list of all German IP CIDR-Ranges which would be on the "ACCEPT" list.

I have not understood how iptables exactly works and need a bit help with the syntax. I also did not found how to configure the behavior when there are 2 mutual exclusive rules ACCEPT and DROP for a specific host. I have Debian Linux on a VM, but I could not test it since I only have 1 computer in my network, so I cannot test if IP-ranges are rejected or not.

Also, is it possible to tell iptables to accept a dynamic hostname, e.g. a DynDns hostname, where the IP address behind is always changed?

My idea would be (untested):
```
iptables -I INPUT -s 0.0.0.0/0 --dport 21 -j DROP
iptables -I INPUT -s 1.2.3.4 --dport 21 -j ACCEPT
```
where 1.2.3.4 is an example IP which would be allowed.
- user9517 almost 12 years
  
  iptables only does a dns lookup to get an IP address when the rule is entered. If the IP address changes iptables doesn't notice.
Daniel Marschall almost 12 years

Thanks for your answer. So your script does allow IP "10.1.1.1" to access the ports 22,80,443,5666 . But what's the meaning of the rule for "10.2.2.2" at port 443? The problem is that I also want to serve a HTTP webserver, so the default rule for all ports may not the DROP, only for specific ports the default rule should be DROP.
Eric almost 12 years

For any firewall, the default inbound rule should always be drop. So we start out with INPUT DROP. From here we ask ourselves, what do we want to be allowed into this server? Do we want HTTP allowed inbound from all IPs? If so then add "-A INPUT -p tcp -m multiport --dports 80,443". When we don't add a "-s" for source IP, we allow that port open for everyone. Then if we want port 21 for only a certain IP range, you create a similar rule but modify the source and services you are allowing.
Daniel Marschall almost 12 years

Thank you very much for your edited verison. That seems to be a perfect example and template to build custom firewall rules. Btw, why did you comment "Drop rules to prevent them from entering the logs" for rules which excluded NetBIOS and SMB ports?
Eric almost 12 years

For that rule I didn't want broadcst and netbios traffic entering my logs because that is pointless information for me. So if you create a drop rule prior to your log rule, then it won't hit your log rule. Iptables go in order and once it matches a rule, it's done and it doesn't hit the rest of the rules. For example if you don't want to log dropped port 80 traffic you can add a "--dport 80 -j DROP" rule before your log rule and it will never log.