I would like to setup iptables rules on remote server in that manner that I am able to access to it only from specific IP address.
The current iptables list looks like this:
root@localhost:~# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 1.2.3.4 anywhere tcp dpt:ssh
ACCEPT tcp -- 2.2.2.2 anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain l (0 references)
target prot opt source destination
Where 1.2.3.4 and 2.2.2.2 are the IP destinations from where I want to have access to this machine.
And all that works fine. If i type:
ssh root@server-ip-address-here
i have access only from those 2 locations. Any other location is encountering timeout and its not able to reach port 22.
The thing is, i have a domain associated with this server/ip for example, example.com.
Now, what puzzles me is, if i try to access to the ssh using the domain name, im able to reach the port without any kind of issues??
ssh root@example.com
- Are you able to explain why this is happening? I was expecting different behaviour (DNS will resolve domain to IP, ssh will try to use that IP to reach the port and it will be blocked).
- How i can fully block ssh access (tcp connection) on port 22, for other sources beside those 2 ips (no matter how they try to reach the port)?
Best Answer
The best rule for setting access to your server from a known IP is:
And in case you wish to change your OUTPUT chain to DROP or REJECT, then you would need the following rule too:
But your rule seems to be ok.
If you are connecting to a domain (domain.com for ex.) and reaching a ssh server, you should check if you have set a CDN or reverse proxy for the domain which doesn't have the iptables rule droping the connection. Also a firewall doing NAT could cause a response if that port is not forwarded and the firewall has the ssh service enabled, or anything in the middle between your client and server that has an ssh server running as a matter of fact. Most likely it is the ssh-server of another device, or you have something wrong with your network/setup.
Update after ipv6 comment
If you are using ipv6 you should check the ipv6 rules for iptables:
You have, at least, 2 options:
1) If you are allowing everything, you can restrict to the ipv6 address of the ipv4 devices that you are allowing (notice the IPv6-ADDRESS) for the ssh service:
2) Or directly DROP everything coming from IPv6 by default: