Iptables Rules Not Working
Hi,
I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am running the below iptables command to allow SSH port 22 from a specific source IP 219.91.200.59
iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 –dport 22 -j ACCEPT
The above iptables ruleset is not working and I am still able to connect from the internet to SSH port 22. I look forward to hearing from you and thanks in advance.
Best Regards,
Kaushal
8 thoughts on - Iptables Rules Not Working
Am 16.07.2020 um 17:48 schrieb Kaushal Shriyan:
Please consult the documentation to understand how to use the firewall on CentOS 8:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/securing_networks/index#using-and-configuring-firewalld_securing-networks
In short: you are doing it wrong in multiple dimensions.
Alexander
EL8 does not use iptables by default – it’s been replaced with nftables.
Hi,
I have run the below command but I am still able to connect from the internet. Do I need to add any drop traffic policy using nft?
#nft add rule ip filter INPUT ip saddr 219.91.200.59/32 tcp dport 22 ct state new,established counter accept
Any help will be highly appreciable. Thanks in advance.
Best Regards,
Kaushal
You haven’t given us enough to make a good evaluation. Is your INPUT policy DROP? Is your SSH destination this system or elsewhere, it makes a difference. I’m hearing iptables can still be used with nftables but I haven’t had need to investigate, you should look into the interaction of the two to make sure that’s not causing problems. Just a couple or possibilities. I don’t know if nftables still has the raw table which allows you to do an in depth (and laborious) analysis of what’s happening by using the -J TRACE option but, if you can’t find the issue by other means, it may be necessary.
Am 16.07.20 um 18:11 schrieb Kaushal Shriyan:
Better start with firewalld, a frontend to nft
What is the output of
firewall-cmd –list-all
–A single rule doesn’t tell us enough. Dump the entire firewall to a pastebin and post the link here.
Hi Kenneth,
Please refer to my pastebin link https://paste.CentOS.org/view/cd55a9a6. Basically I want to allow the below mentioned ruleset on the server (CentOS
Linux release 8.2.2004 (Core)) and drop the rest of the network traffic from 0.0.0.0/0
1. Allow http port 80 from 0.0.0.0/0
2. Allow https port 443 from 0.0.0.0/0
3. Allow SSH port 22 only from our office IP:- 219.91.200.59
I look forward to hearing from you. Thanks in advance.
Best Regards,
Kaushal
–Your default input policy is accept. Change it to drop.