23

I would like to configure my VPS in the way that it ONLY accepts connections from outside on port 22 (where sshd listens) and ICMP requests. Everything else from outside should be rejected. Inside the server, everything should be allowed. Do the following rules create the desired behaviour?

iptables -A INPUT --jump ACCEPT --protocol all   --source 127.0.0.1
iptables -A INPUT --jump ACCEPT --protocol tcp   --dport 22
iptabels -A INPUT --jump ACCEPT --protocol icmp
iptables -A INPUT --jump ACCEPT --match state    --state ESTABLISHED,RELATED
iptables -A INPUT --jump REJECT --protocol all

I am not completely sure if ACCEPT rules will "win" over the last overall REJECT

Bruno Bronosky
  • 909
Xpector
  • 427
  • 1
  • 5
  • 11
  • 1
    You shouldn't use --source 127.0.0.1 to determine if a packet is safe to accept. See http://serverfault.com/a/825231/4131 – Bruno Bronosky Jan 10 '17 at 05:53

1 Answers1

29

You are correct.

The rules will be processed in line order of the file. If there is a match for a rule no other rules will be processed for that IP packet in your case.

http://en.wikipedia.org/wiki/Iptables

Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not

NGRhodes
  • 9,490