100
votes
Accepted
Limit SSH access to specific clients by IP address
You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client ...
- 15.8k
48
votes
Limit SSH access to specific clients by IP address
Here some additional configuration for SSH daemon to extend previous answer:
Add user filtering with AllowUsers option in sshd_config file:
AllowUsers [email protected].* [email protected].* otherid1 ...
- 2,179
29
votes
Accepted
What's the point of firewalling outgoing connections?
There can be many reasons why someone might want to have outgoing ports closed. Here are some that I have applied to various servers at various times
The machine is in a corporate environment where ...
- 128k
26
votes
How does reverse SSH tunneling work?
This is explained in SSH manual, especially the differences between -L (local) and -R (remote).
-L
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to ...
- 22.1k
26
votes
Accepted
Why are my network connections being rejected?
Well, I figured it out. And it's a doozy.
CentOS 8 uses nftables, which by itself isn't surprising. It ships with the nft version of the iptables commands, which means when you use the iptables ...
- 38.4k
25
votes
How to protect against port scanners?
Simple rate limit is not enough because nmap increases scan delay when it hits rate limit. Here is what you can do best with iptables.
First create ipset lists
ipset create port_scanners hash:ip ...
- 1,157
21
votes
Accepted
How do I get a list of the ports which belong to preconfigured firewall-cmd services?
You can find the xml files this information is stored in in /usr/lib/firewalld/services/ (for distro-managed services) and/or /etc/firewalld/services/ for your own user-defined services.
For example, ...
- 16.5k
20
votes
Accepted
When and how to use chain priorities in nftables
UPDATE: iptables-nft (rather than iptables-legacy) is using the nftables kernel API and in addition a compatibility layer to reuse xtables kernel modules (those described in iptables-extensions) when ...
- 39.5k
20
votes
What's the point of firewalling outgoing connections?
To expand on @roaima's answer:
Defense in depth.
Imagine that one server is compromised by malware. The malware installs a program that starts trying to send spam. By denying outgoing connections on ...
- 32.4k
18
votes
Accepted
How to block clients by IP address from accessing certain URLs on my web server?
This may be more heavy weight than you're looking for, but you might consider using fail2ban (https://www.fail2ban.org). That's a tool that can monitor your log files and automatically ban addresses ...
- 14.7k
17
votes
Accepted
How to import multiple ip's to Ipset?
You can use ipset save/restore commands.
ipset save manual-blacklist
You can run above command and see how you need to create your save file.
Example output:
create manual-blacklist hash:net ...
- 1,157
17
votes
Accepted
What is the relationship or difference among iptables, xtables, iptables-nft, xtables-nft, nf_tables, nftables
My view is that iptables, ip6tables, ebtables and arptable is a frontend tool-set to Netfilter.
They are a user-space tool-set that format and compile the rules to load them in the core Netfilter that ...
- 805
16
votes
Firewall rules based on Domain name instead of IP address
iptables itself only works with IP addresses, but you can create an ipset-based rule and update the ipset periodically.
ipset create allowed hash:ip family inet # IPv4-only
ipset create allowed6 ...
- 1,157
16
votes
How to check if any firewall is already installed
I would have a look at the system services. It is a good idea to review the default setup, because there may be services that you don't need, and you can disable them to improve performance, even ...
- 909
15
votes
Can you list iptables as a non-root user? and why?
It appears iptables needs both CAP_NET_RAW and CAP_NET_ADMIN to be able to read the tables. I tried
$ cp /usr/sbin/iptables ~/iptables # note, it may be a symbolic link
$ sudo setcap CAP_NET_RAW,...
- 54.7k
15
votes
Accepted
SSH session through jumphost via remote port forwarding
It looks like you should be using local port-forwarding instead of remote port-forwarding. You may want to refer to the following helpful blog post by Dirk Loss:
SSH port forwarding visualized
It ...
- 10.2k
14
votes
Accepted
iptables - default action at the end of user-defined chain
If none of the rules in a user-defined chain match, the default behavior is effectively RETURN: processing will continue at the next rule in the parent chain.
When a packet matches a rule whose ...
- 38.4k
13
votes
Accepted
How to match both UDP and TCP for given ports in one line with nftables
With a recent enough nftables, you can just write:
meta l4proto {tcp, udp} th dport 53 counter accept comment "accept DNS"
Actually, you can do even better:
set okports {
type inet_proto . ...
- 21.1k
13
votes
Accepted
Restrict local port access to a specific user
Do the same for IPv6 ... localhost resolves to both an IPv4 and IPv6 address, and v6 is preferred.
Edit 1:
ip6tables -I OUTPUT -o lo -p tcp --dport 5000 --match owner --uid-owner 1000 -j DROP
- 7,798
12
votes
Accepted
CentOS 8 firewalld + nftables or just nftables
I think the answer is fairly straightforward. First, you have done exactly the right thing...
Firewalld is a pure frontend. It's not an independent firewall by itself. It only operates by taking ...
- 146
12
votes
Accepted
Create dynamic blacklist with nftables
The hydra tool connects concurrently multiple times to the SSH server. In OP's case (comment: hydra -l <username> -P </path/to/passwordlist.txt> -I -t 6 ssh://<ip-address>) it will ...
- 39.5k
11
votes
how to make firewall changes permanent via firewall-cmd?
You can also do something like this:
sudo firewall-cmd --zone=public --add-port=7198/tcp
sudo firewall-cmd --zone=public --add-port=7199/tcp
sudo firewall-cmd --runtime-to-permanent
... which will ...
- 211
11
votes
Can you list iptables as a non-root user? and why?
Indeed, iptables uses the netlink interface to communicate with the kernel. It opens a netlink socket to xtables, then issues commands via this socket. Access control is performed when the socket is ...
11
votes
Accepted
How to properly log and view nftables activity?
You can use nftrace to trace packet flows. It's very verbose but doesn't go to kernel logs but instead is distributed over multicast netlink socket (ie if nothing listens to them, traces just go to &...
- 39.5k
10
votes
creating an alternate jail in fail2ban for manual banning
Here's how I did this..
I added this to jail.local:
[manban]
enabled = true
filter = manban
action = iptables[name=HTTP, port="80,443,110,995,25,465,143,585,993,587,21,22", protocol=tcp]
...
- 331
10
votes
Accepted
can I access ssh server by using another ssh server as intermediary
If you have OpenSSH 7.3p1 or later, you can tell it to use server1 as a jump host in a single command:
ssh -J server1 server2
See fcbsd’s answer for older versions.
- 481k
10
votes
Accepted
choosing firewall: ufw vs nftables vs iptables
There are essentially two separate firewall stacks in the kernel: the older iptables-based stack, and the newer nftables-based stack. However, because some programs are designed to work with one and ...
- 4,497
9
votes
Accepted
How to get metrics about dropped traffic via iptables?
There are counters for each rule in iptables which can be shown with the -v option. Add -x to avoid the counters being abbreviated when they are very large (eg 1104K). For example,
$ sudo iptables -L ...
- 54.7k
Only top scored, non community-wiki answers of a minimum length are eligible