ETOOBUSY 🚀 minimal blogging for the impatient
iptables for SSH only
A basic iptables setup to allow only incoming SSH traffic.
Sometimes you need only the very basic, bare-bones remote service of being able to log in via SSH.
In these cases… it can be handy to use the following configuration for iptables:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT COMMIT
It’s basically… everything drops, except what is expressely allowed.
The loopback stuff is brought up to avoid weird things happening in internal services.
The only additional allowed input (on all interfaces) is TCP traffic on port 22, a.k.a. SSH traffic. On the output side… it’s the same, but with a catch: it has to belong to an already-established session. That is: connections cannot start from the server.
If we save the file above in
/etc/iptables.rules, we can install them
#!/bin/sh /sbin/iptables-restore < /etc/iptables.rules
This might be saved in
anywhere else your Linux distro will run it automatically.
And now… credits:
minimal-iptables contains the rules restoration mechanism as well the file I used to get started with
the actual rules are taken from this post, adapted for
I hope it can be useful!