June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
2.10. Blocking Remote Access, but Permitting Local
Problem
You want only local users to access a TCP service; remote requests should be denied.
Solution
Permit connections via the loopback interface and reject all others.
For
iptables
:
# iptables -A INPUT -p tcp -i lo --dportservice-j ACCEPT # iptables -A INPUT -p tcp --dportservice-j REJECT
For ipchains:
# ipchains -A input -p tcp -i lo --dportservice-j ACCEPT # ipchains -A input -p tcp --dportservice-j REJECT
Alternatively, you can single out your local IP address specifically:
For iptables:
# iptables -A INPUT -p tcp ! -syour_IP_address--dportservice-j REJECT
For ipchains:
# ipchains -A input -p tcp ! -syour_IP_address--dportservice-j REJECT
Depending on your shell, you might need to escape the exclamation point.
Discussion
The local IP address can be a network specification, of course, such
as a.b.c.d/N.
You can permit an unrelated set of machines to access the service but reject everyone else, like so:
For iptables:
# iptables -A INPUT -p tcp -sIP_address_1--dportservice-j ACCEPT # iptables -A INPUT -p tcp -sIP_address_2--dportservice-j ACCEPT # iptables -A INPUT -p tcp -sIP_address_3--dportservice-j ACCEPT # iptables -P INPUT -j REJECT
For ipchains:
# ipchains -A input -p tcp -sIP_address_1--dportservice-j ACCEPT # ipchains -A input -p tcp -sIP_address_2--dportservice-j ACCEPT # ipchains -A input -p tcp -sIP_address_3--dportservice-j ACCEPT # ipchains -P input -j REJECT
See Also
iptables(8), ipchains(8). ...