I always get nervous when editing iptables as I know how simple it can be to end up blocking all traffic to the server, a rather large issue when your server is sitting on the cloud.
Would these be the correct series of commands?
iptables -A INPUT -p tcp --dport 123 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -s 5.6.7.8 -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -j DROP
iptables-save
This doesn't answer your question - others are doing a nice job of that - but it does address your other concern: locking yourself out of your remote server. Whenever I'm doing a big
iptableschange on a system, I always check thatatdis running, then put anatjob for about 10 minutes in the future to take the firewall down, something likeThat way I know that if I really foul up and lock myself out, in ten minutes' time I'll be able to get back in and fix things. If I finish my work, and I haven't fouled up, I can find that job with
atqand delete it withatrmbefore it even runs.It should work, but it can be improved. You haven't posted what your default INPUT policy is. If it is ACCEPT, then your commands should work, although not the most recommended one. If it is DROP, then you don't need the line before
iptables-save.The most recommended policy for iptables, as well as for any other firewall, is to DROP EVERYTHING and then explicitly allow the ports/protocols you want to permit. So you start with this -
Then you explicitly allow the incoming traffic destined to port 123/tcp
iptables -A INPUT -p tcp --dport 123 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -s 5.6.7.8 -j ACCEPT
In debian iptables package there is '/usr/sbin/iptables-apply' who ask you if all are ok after apply changes, if you do not repply the question then chages are undone.