Linux Firewall

Within Webmin the module to manage the Linux Firewall has a set of default rules for services e.g. FTP, SSH etc and by default these are not limited to source IP addresses. I want to restrict both SSH & FTP to one or 2 IP addresses so to test this for SSH in the Source address or network I changed drop down to equals (from ignored) and entered one IP address and saved however this didn’t stop me from connecting from a different IP address, what am I doing wrong?

Can anyone help on this?

Howdy,

You may just need to hit the “Apply Configuration” button on the bottom of the screen.

If you log in over SSH, and run “iptables -L -n”, you should see the rule you added. If you don’t, that means the rule wasn’t yet applied.

-Eric

Just to confirm I am using the apply in the main screen

I am adding the rule to the…

Incoming packets (INPUT) - Only applies to packets addressed to this host

Running iptables -L -n

I do see my rule for SSH with the IP address specified…

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp – 188.92.238.166 0.0.0.0/0 tcp dpt:22

However I can still SSH in from a different IP

Am I adding the rule correctly in the “Incoming packets (INPUT)” and do I need to add another rule to explicitly deny SSH from other IP’s?

Can you paste in the full output of “iptables -L -n”?

-Eric

# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 188.92.238.166 0.0.0.0/0 tcp dpt:22 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all – 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp – 0.0.0.0/0 0.0.0.0/0
ACCEPT ah – 0.0.0.0/0 0.0.0.0/0
ACCEPT udp – 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@rs1 ~]#

In your “RH-Firewall-1-INPUT” chain, there’s rules there that would allow any packet destined for port 22.

If you wish to restrict access to just this one IP, you’d probably need to remove the port 22 allow rule in the RH-Firewall-1-INPUT chain.

-Eric

OK so should I be applying my rules to the Chain RH-Firewall-1-INPUT rather than the Chain INPUT, is that what you are saying?

Well, both chains are valid.

The problem you appear to be seeing, is that the other chain contains an allow rule, allowing all port 22 traffic.

So it doesn’t matter if you create an allow rule for just one IP address, as all port 22 traffic is being allowed.

What you may need to do is go into that other chain, and remove the rule allowing all port 22 traffic.

-Eric

Thanks for your help on this I’ve got it working now!