2.10. Blocking Remote Access, but Permitting Local
Problem
You want only local users to access a TCP service; remote requests should be denied.
Solution
Permit connections via the loopback interface and reject all others.
For
iptables
:
# iptables -A INPUT -p tcp -i lo --dportservice
-j ACCEPT # iptables -A INPUT -p tcp --dportservice
-j REJECT
For ipchains
:
# ipchains -A input -p tcp -i lo --dportservice
-j ACCEPT # ipchains -A input -p tcp --dportservice
-j REJECT
Alternatively, you can single out your local IP address specifically:
For iptables
:
# iptables -A INPUT -p tcp ! -syour_IP_address
--dportservice
-j REJECT
For ipchains
:
# ipchains -A input -p tcp ! -syour_IP_address
--dportservice
-j REJECT
Depending on your shell, you might need to escape the exclamation point.
Discussion
The local IP address can be a network specification, of course, such
as a.b.c.d/N
.
You can permit an unrelated set of machines to access the service but reject everyone else, like so:
For iptables
:
# iptables -A INPUT -p tcp -sIP_address_1
--dportservice
-j ACCEPT # iptables -A INPUT -p tcp -sIP_address_2
--dportservice
-j ACCEPT # iptables -A INPUT -p tcp -sIP_address_3
--dportservice
-j ACCEPT # iptables -P INPUT -j REJECT
For ipchains
:
# ipchains -A input -p tcp -sIP_address_1
--dportservice
-j ACCEPT # ipchains -A input -p tcp -sIP_address_2
--dportservice
-j ACCEPT # ipchains -A input -p tcp -sIP_address_3
--dportservice
-j ACCEPT # ipchains -P input -j REJECT
See Also
iptables(8), ipchains(8). ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.