2.10. Blocking Remote Access, but Permitting Local

Problem

You want only local users to access a TCP service; remote requests should be denied.

Solution

Permit connections via the loopback interface and reject all others.

For iptables :

# iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT
# iptables -A INPUT -p tcp --dport service -j REJECT

For ipchains:

# ipchains -A input -p tcp -i lo --dport service -j ACCEPT
# ipchains -A input -p tcp --dport service -j REJECT

Alternatively, you can single out your local IP address specifically:

For iptables:

# iptables -A INPUT -p tcp ! -s your_IP_address --dport service -j REJECT

For ipchains:

# ipchains -A input -p tcp ! -s your_IP_address --dport service -j REJECT

Depending on your shell, you might need to escape the exclamation point.

Discussion

The local IP address can be a network specification, of course, such as a.b.c.d/N.

You can permit an unrelated set of machines to access the service but reject everyone else, like so:

For iptables:

# iptables -A INPUT -p tcp -s IP_address_1 --dport service -j ACCEPT
# iptables -A INPUT -p tcp -s IP_address_2 --dport service -j ACCEPT
# iptables -A INPUT -p tcp -s IP_address_3 --dport service -j ACCEPT
# iptables -P INPUT -j REJECT

For ipchains:

# ipchains -A input -p tcp -s IP_address_1 --dport service -j ACCEPT
# ipchains -A input -p tcp -s IP_address_2 --dport service -j ACCEPT
# ipchains -A input -p tcp -s IP_address_3 --dport service -j ACCEPT
# ipchains -P input -j REJECT

See Also

iptables(8), ipchains(8). ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial