0

I have a linux server behind an internet router which forwards port 22 to the linux server. The router has no possibility to restrict the port forwarding to certain ip addresses (eg. 1.2.3.4/32), so I need to enforce this restrictions at the linux server. Furthermore I want to allow all traffic from the current LAN but without specifying the LAN by CIDR (eg. 192.168.0.0/24) since this can change frequently and the eth0 interface gets its network configuration by dhcp.

What I want to achieve with iptables is this:

  1. allow from 1.2.3.4/32 to port 22
  2. allow from $LAN
  3. drop anything else

I can't find a solution to address the current LAN in an iptables rules without knowing the actual ip range. Does iptables offer any functionality for this?

Adrian
  • 41
  • 3
  • 2
    Can you use ``-i`` for interface name i.e ``iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT`` ? Similar to https://serverfault.com/questions/244767/enable-iptables-on-one-interface – user996142 Apr 26 '18 at 21:53
  • Unfortunately no, because eth0 is the only interface of that server. When I drop anything else on that interface, the computers in $LAN get blocked too – Adrian Apr 27 '18 at 07:33
  • I don't know of any reasonable use of iptables for this (there's an unreasonable use that would involve altering routes with policy routing and trigger a lot of ARP requests). You should use a script running whenever the network configuration changes instead – A.B Apr 28 '18 at 15:24
  • Yeah, that was my final solution – Adrian May 01 '18 at 16:36

0 Answers0