Home / server / Questions / 30026
In Process
Frank Bannister
Asked: 2009-06-23 14:25:55 +0800 CST

Whitelist allowed IPs (in/out) using iptables

  • 772

I have a few ip ranges to which I want my server to able to connect and users to connect from. Everything else should be blocked.

How should I do that with iptables?

My OS is Debian based linux distribution.

linux iptables blacklist

5 Answers

  1. I'd suggest grabbing a firewall configuration tool, such a Firestarter, and going from there. Here are some basics for you, though.

    #Flush existing rules
iptables -F
# Set up default DROP rule for eth0
iptables -P INPUT DROP
# Allow existing connections to continue
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept everything from the 192.168.1.x network
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
# Allow connections from this host to 192.168.2.10
iptables -A OUTPUT -o eth0 -d 192.168.2.10 -j ACCEPT
    • 31 
  2. iptables -I INPUT -s <allowed_ip> -j ACCEPT #(repeat this line as needed)
iptables -P INPUT DROP

    This will turn your system into a non-existent system for non-allowed computers.

    • 17

  3. If you want to allow arbitrary ranges rather than entire subnets, you can use the 'iprange' iptables module:

    iptables -P INPUT DROP

    iptables -A INPUT -m iprange --src-range 192.168.1.30-50 -j ACCEPT

    for example, will allow traffic coming from all machines with addressess between 192.168.1.30 and 192.168.1.50.

    If you want to allow incoming and outgoing traffic to the same range of IP's, I'd suggest that you create a specific chain allowing that IPs and targeting all the input and output target to it:

    --define the default policies to drop everithing:

    iptables -P INPUT DROP

    iptables -P OUTPUT DROP

    --create the new chain:

    iptables -N allowed_ips

    --if the source is part of the allowed range, accept

    iptables -A allowed_ips -m iprange --src-range 192.168.1.30-50 -j ACCEPT

    --if not, return to the caller chain to continue processing

    iptables -A allowed_ips -j RETURN

    --make all traffic entering and leaving the machine go through our new chain

    iptables -A INPUT -j allowed_ips

    iptables -A OUTPUT -j allowed_ips

    and that's it! of course you may need aditional rules, such as one allowing all traffic from/to the lo interface, etc.

    • 7

  4. Once you are happy with your rules, you probably want to save them. The comments in this link have several options on how to do that.

    An easy to use iptables rules generator for simple needs is ufw. The package is available in debian unstable.

    Also try Firestarter. Available in lenny.

    • 1

  5. You may also use ferm which I also use for the past year and has helped me a lot with cases such as conditional firewall rules.

    • 0