how do I drop all traffic to smtp, except originating from my IP? This example I found drops traffic for particular IP, I need to deny by default, but allow 1 IP in. Thanks
# iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j DROP
iptables -A INPUT -s ! 65.55.44.100 -p tcp --destination-port 25 -j DROP
# iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j ACCEPT
# iptables -A INPUT -p tcp --destination-port 25 -j DROP
If you actually want to deny all traffic by default, and only open up holes for specific protocols/addresses/etc., what you want to do is continue to use the rule you have now, and also modify the default policy like so:
# iptables -P INPUT DROP
Otherwise, siposa's answer will drop all SMTP traffic except for the specified IP address, while not affecting other protocols.
Related
here is my whitelist allowing wikipedia and rejecting all other sites. Unfortunately this script does not work : I cannot connect to wikipedia. Why ?
Thank you
Allow incoming traffic from established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow incoming connections from wikipedia
iptables -A INPUT -s 78.109.84.114 -j ACCEPT
Allow outcoming connections from wikipedia
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
Drop other incoming connections.
iptables -P INPUT DROP
Drop any transfer of traffic.
iptables -P FORWARD DROP
I think i got your Problem.
Try using iptables -A OUTPUT -d 78.109.84.114 -j ACCEPT instead of
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
And if you want to work with the state module then use:
iptables -A OUTPUT -m state --state NEW -d 78.109.84.114 -j ACCEPT
The Problem is, that you create a rule, that says that Traffic that goes into the OUTPUT Chain with the Source Adress 78.109.84.114 is allowed. But what you want is a rule that allows Traffic to Wikipedia outgoing not from Wikipedia.
I can set iptables rules to prevent external connection. But can we use iptables to prevent internal connection? For example, I have set iptables to prevent port 5555 port on my machine, but my local APP can still connect with 5555 when running on my machine.
Yes you can block it using iptables.
iptables -A INPUT -d 127.0.0.1 -p tcp --dport 5555 -j DROP
With this command you'll not be able to connect from your own host to your own service. Then you can remove the rule using the opposite to -A append which is -D delete:
iptables -D INPUT -d 127.0.0.1 -p tcp --dport 5555 -j DROP
Hope it helps.
Depends upon how you are blocking the port 5555, if you have a specific INPUT rule with interface and source and/or destination addresses it would match only those. In your case, you could modify your rule to just match tcp destination port 5555 and it will block all packets to tcp destination port 5555. for eg:
iptables -t filter -I INPUT -p tcp --dport 5555 -j DROP
If you just want to block your internal apps and not touch your existing iptables rule then use the incoming interface as lo for eg:
iptables -t filter -I INPUT -i lo -p tcp --dport 5555 -j DROP
Note: If you are using destination ip then use the entire loopback address range rather than just 127.0.0.1 for eg:
iptables -t filter -I INPUT -d 127.0.0.0/8 -p tcp --dport 5555 -j DROP
Before you do any changes you can instead of -j DROP action use -j LOG action to log and confirm the tcp connections this rule will match. You could also skip the action part without specifying the -j option and check how many packets would match your rule with iptables -t filter -L -n -v without causing any harm.
I need some custom iptables for a login page of my wifi hotspot on my raspberry pi. I want an http login page: this is how it should work, I just don't know how to configure the iptables.:
Any connections on an ip address that is not already logged in, should be redirected to the pi's port 8181 (the server for my login page).
Any connections on an ip address that is logged in should be allowed to access the outside internet.
Any connections initially requesting the pi's port 8181 should be allowed.
How should I set this up with iptables?
Thanks!
I've found the following article very helpful when learning iptables:
http://wiki.centos.org/HowTos/Network/IPTables
Basically you can start with a something similar to:
# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
This will block pretty much everything other than SSH, outgoing connections, and connections that are previously established (ie from previous outgoing connections)
Once that is in place you need to do the redirection:
http://proghowto.com/iptables-redirect-port-80-to-port-8080
And finally you need to run something like the following for each ip that gets authenticated:
# iptables -A INPUT -s 192.168.0.4 -j ACCEPT
My centos server has an iptables rule.
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
this code is doing the work like firewall but I don't want to block of my server ips.
my server ips:
"127.0.0.1", "my server ip1", "my server ip2", etc.
How do I get them out of this ip tables rule?
Thank you very much!
Just use :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -j ACCEPT
Note that this will open everything for SERVER_IPs. YMMV depending on want you want to allow.
For instance, if you just want to open HTTP port for those IPs :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -p tcp --dport 80 -j ACCEPT
I can't access Plesk Amdin because of DOS attack; can I block a hostname or IP address through SSH? If so, how would I be able to do this?
Thank you!
If you have iptables you can block it using simple rule:
iptables -I INPUT --source 1.2.3.4 -j DROP
This rule drops packets coming from IP 1.2.3.4.
Probably the easiest is to SSH to your box use vim to and add the following to the top of your .htaccess file in the root of your domain (/var/www/vhosts/yourdomain.com/httpdocs/.htaccess):
deny from 12.345.67.89
Obviously replace the IP address with the one you want to block. Repeat this for any sites you think are being attacked.
iptables -I INPUT -p tcp -s 1.2.3.4 -m statistic --probability 0.5 -j DROP
iptables -I INPUT n -p tcp -s 1.2.3.4 -m rpfilter --loose -j ACCEPT # n would be an numeric index into the INPUT CHAIN -- default is append to INPUT chain
iptables -I INPUT -p tcp -m hashlimit --hashlimit-mode srcip -s 1.2.3.4 --hashlimit-srcmask --hashlimit-above 9/second -j DROP
iptables -I INPUT -p tcp -s 1.2.3.4 -m limit --sport 80 --limit 100/second -j ACCEPT
There are countless others for your circumstances.
Sincerely,
ArrowInTree