Linux – How to block everything with IPTABLES

iptableslinuxlinux-kernel

I would like to block everything EXCEPT SSH/FTP/HTTP/POSTFIX and MySQL.

With "everything" I mean all the other ports, block pings etc etc.

Best Answer

I'm guessing you mean incoming connections (the INPUT chain), and not forwarded ones (as in a router). Also I take postfix means just SMTP (25).

iptables -P INPUT ACCEPT
iptables -F INPUT

for port in 21 22 25 80 3306
do
  iptables -A INPUT -p tcp --dport $port -j ACCEPT
done

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP

Test your FTP connection in particular, you may need to enable ip_conntrack_ftp for it to work correctly without modifying the client settings.

Related Solutions

Iptables – How to Unban an IP properly with Fail2Ban

With Fail2Ban before v0.8.8:

fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE

With Fail2Ban v0.8.8 and later:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name...
...then use fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g' to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

Linux – how to disable SSH login with password for some users

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

Best Answer

Related Solutions

Iptables – How to Unban an IP properly with Fail2Ban

Linux – how to disable SSH login with password for some users

Related Topic