1

I'm lost in Linux, can somebody help me with an iptables command to allow only the IP Address 5.5.5.5 to access port 22?

I've got that port restricted to the same IP in the EC2 security group, but I need to block it on the instance itself as well.

Caleb
  • 11,583
  • 4
  • 35
  • 49
Brian Webster
  • 1,123
  • 1
  • 18
  • 38
  • "I've got that port restricted to the same IP in the EC2 security group, but I need to block it on the instance itself as well." Why? – ceejayoz Apr 27 '11 at 01:08
  • I want to verify that I am protected from other instances. I don't think this is excessive. If I am doubling up, then so be it. I'm a programmer daggumit! – Brian Webster Apr 27 '11 at 03:00
  • possible duplicate of [Iptables: How to allow only one ip through specific port?](http://serverfault.com/questions/146569/iptables-how-to-allow-only-one-ip-through-specific-port) – Brian Webster Apr 27 '11 at 03:02
  • 1
    If you knew more about how virtual machines worked and how the network devices are "wired" together you would understand how un-necessary is. You will basically make an environment that is no more secure but with more points of failure and more difficult to troubleshoot and administer. **Your time would be better spent making sure your ssh service itself was properly secured** with keys and such. – Caleb Apr 27 '11 at 08:21
  • I think the flaw in your reasoning is that you assume I am 100% effective at configuring EC2 security groups – Brian Webster Apr 27 '11 at 17:08

3 Answers3

4

Aren't you being a little excessive? Your instances on EC2 are nicely isolated from other traffic by their own private firewall on the virtual network device you are "plugged into" upstream.

iptables -A INPUT -p tcp -s 5.5.5.5/32 --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j REJECT
Caleb
  • 11,583
  • 4
  • 35
  • 49
1

Try:

iptables -I INPUT 1 -p tcp --dport 22 -s 5.5.5.5 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 22 -j REJECT

This adds a rule which specifically allows access from that IP, then a rule which specifically denies it from everyone else.

caelyx
  • 699
  • 3
  • 7
0

This has also been covered in very similar posts: Iptables: How to allow only one ip through specific port?

Allow traffic on one port from one IP address with iptables

Community
  • 1
Skrap
  • 738
  • 6
  • 7