Join Log in
Score:0
Nigel Wash avatar Ubuntu

Iptables that only allow incoming traffic to OpenSSH and block all other traffic

cn flag
Nigel Wash

I need to configure a firewall using iptables that only allows incoming traffic to the openssh services and block all other traffic. I know how to block all incoming traffic but don't know how to only allow incoming traffic to the openssh and block all other incoming traffic simultaneously. I also need the ssh to be logged as "ssh traffic" and all the other blocked traffic to be logged as "blocked traffic". Any help would be much appreciated.

Thanks guys

221
0 + 0
ssh
Score:1
avatar Ubuntu
in flag
matigo

The simplest way to do this would be like this:

  1. Open Terminal (if it's not already open)
  2. Block all incoming traffic: 
    sudo ufw default deny incoming
  3. Allow OpenSSH: 
    sudo ufw allow OpenSSH

If SSH connections are coming in from a limited subset of IPs, such as an internal network, then you can limit OpenSSH to just the local network like this:

sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp

Note: Be sure to change 192.168.0.0 to a value applicable to the network.

0 + 0
Nigel Wash avatar
cn flag
Nigel Wash
Hi @matigo is it possible to do it without the use of ufw?
0
Reply
in flag
matigo
Yes, but why avoid `ufw`? It's just a wrapper for `iptables` and makes things much simpler ...
0
Reply
Score:0
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

Here is an iptables rules creating script:

#!/bin/sh
FWVER=0.01
#
# ask1368071 Smythies 2021.10.08 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1368071/iptables-that-only-allow-incoming-traffic-to-openssh-and-block-all-other-traffic
#       run as sudo on s19.
#       log entries are only for each NEW ssh packet. It seems unreasonable to log every ssh packet, but it could be done.
#

echo "Loading ask1368071 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Set for Smythies s19 computer (for testing). Edit for ask1368071's computer.
EXTIF="br0"
EXTIP="192.168.111.136"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Nigel's computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# Allow any related traffic coming back to the server in.
# (Nigel did not ask for this, but I am assuming it is needed.)
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow and log new SSH connections
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j LOG --log-prefix "ssh traffic:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

# Do not allow in anything else
# Could also just fall through to default policy here, but sometimes a logging rule is also desired.
#
$IPTABLES -A INPUT -i $EXTIF -j LOG --log-prefix "blocked traffic:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -j DROP

# Done.
#
echo ask1368071 rule set version $FWVER done.

Here is a listing after a new ssh session has been started:

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
      66     5465 ACCEPT     all  --  br0    *       0.0.0.0/0            192.168.111.136      state RELATED,ESTABLISHED
       1       52 LOG        tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22 LOG flags 0 level 6 prefix "ssh traffic:"
       1       52 ACCEPT     tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22
      18     1382 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "blocked traffic:"
      18     1382 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 56 packets, 8793 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Here are some log entries. Opps, I have busted my samba share:

Oct  8 08:07:15 s19 kernel: [249075.860342] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53951 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:16 s19 kernel: [249076.878329] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53957 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:17 s19 kernel: [249077.896198] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53959 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:18 s19 kernel: [249078.914012] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53960 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:19 s19 kernel: [249079.931823] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53961 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:20 s19 kernel: [249080.934176] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53962 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:20 s19 kernel: [249081.115999] blocked traffic:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:80:7d:3a:19:ea:59:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=316
Oct  8 08:07:20 s19 kernel: [249081.132297] blocked traffic:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:80:7d:3a:19:ea:59:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=128 ID=1 PROTO=UDP SPT=68 DPT=67 LEN=316
Oct  8 08:07:21 s19 kernel: [249081.936134] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53964 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:22 s19 kernel: [249082.938594] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53965 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:23 s19 kernel: [249083.956556] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53966 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:24 s19 kernel: [249084.958914] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53967 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:25 s19 kernel: [249085.976907] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=53968 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=0 RES=0x00 ACK RST URGP=0
Oct  8 08:07:25 s19 kernel: [249085.981353] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53969 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:26 s19 kernel: [249086.985732] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53970 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:28 s19 kernel: [249089.005970] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53971 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:32 s19 kernel: [249093.012998] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53973 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:35 s19 kernel: [249096.205252] ssh traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53974 DF PROTO=TCP SPT=61351 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:40 s19 systemd[1]: Started Session 222 of user doug.
Oct  8 08:07:40 s19 kernel: [249101.031397] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53989 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:46 s19 kernel: [249107.046666] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53997 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:47 s19 kernel: [249108.061299] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53998 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:49 s19 kernel: [249110.065547] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53999 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:53 s19 kernel: [249114.090375] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=54001 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:08:01 s19 kernel: [249122.092377] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=54021 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.