Hi, I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am running the below iptables command to allow SSH port 22 from a specific source IP 219.91.200.59 iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT> service iptables saveThe above iptables ruleset is not working and I am still able to connect from the internet to SSH port 22. I look forward to hearing from you and thanks in advance. Best Regards, Kaushal
Am 16.07.2020 um 17:48 schrieb Kaushal Shriyan:> Hi, > > I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am > running the below iptables command to allow SSH port 22 from a specific > source IP 219.91.200.59 > > iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT >> service iptables save > > > The above iptables ruleset is not working and I am still able to connect > from the internet to SSH port 22. I look forward to hearing from you and > thanks in advance. > > Best Regards, > > KaushalPlease consult the documentation to understand how to use the firewall on CentOS 8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/securing_networks/index#using-and-configuring-firewalld_securing-networks In short: you are doing it wrong in multiple dimensions. Alexander
On 16/07/2020 16:48, Kaushal Shriyan wrote:> Hi, > > I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am > running the below iptables command to allow SSH port 22 from a specific > source IP 219.91.200.59 > > iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT >> service iptables save > > > The above iptables ruleset is not working and I am still able to connect > from the internet to SSH port 22. I look forward to hearing from you and > thanks in advance. > > Best Regards, > > KaushalEL8 does not use iptables by default - it's been replaced with nftables.
On Thu, Jul 16, 2020 at 9:25 PM Phil Perry <pperry at elrepo.org> wrote:> On 16/07/2020 16:48, Kaushal Shriyan wrote: > > Hi, > > > > I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I > am > > running the below iptables command to allow SSH port 22 from a specific > > source IP 219.91.200.59 > > > > iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT > >> service iptables save > > > > > > The above iptables ruleset is not working and I am still able to connect > > from the internet to SSH port 22. I look forward to hearing from you and > > thanks in advance. > > > > Best Regards, > > > > Kaushal > > EL8 does not use iptables by default - it's been replaced with nftables. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosHi, I have run the below command but I am still able to connect from the internet. Do I need to add any drop traffic policy using nft? #nft add rule ip filter INPUT ip saddr 219.91.200.59/32 tcp dport 22 ct state new,established counter accept Any help will be highly appreciable. Thanks in advance. Best Regards, Kaushal
You haven't given us enough to make a good evaluation. Is your INPUT policy DROP? Is your ssh destination this system or elsewhere, it makes a difference. I'm hearing iptables can still be used with nftables but I haven't had need to investigate, you should look into the interaction of the two to make sure that's not causing problems. Just a couple or possibilities. I don't know if nftables still has the raw table which allows you to do an in depth (and laborious) analysis of what's happening by using the -J TRACE option but, if you can't find the issue by other means, it may be necessary. ________________________________ From: CentOS <centos-bounces at centos.org> on behalf of Phil Perry <pperry at elrepo.org> Sent: Thursday, July 16, 2020 10:54 AM To: centos at centos.org <centos at centos.org> Subject: [EXTERNAL] Re: [CentOS] Iptables rules not working CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: leroy at datavoiceint.com [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. On 16/07/2020 16:48, Kaushal Shriyan wrote:> Hi, > > I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am > running the below iptables command to allow SSH port 22 from a specific > source IP 219.91.200.59 > > iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT >> service iptables save > > > The above iptables ruleset is not working and I am still able to connect > from the internet to SSH port 22. I look forward to hearing from you and > thanks in advance. > > Best Regards, > > KaushalEL8 does not use iptables by default - it's been replaced with nftables. _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
On Fri, Jul 17, 2020 at 2:41 AM Kenneth Porter <shiva at sewingwitch.com> wrote:> --On Thursday, July 16, 2020 10:41 PM +0530 Kaushal Shriyan > <kaushalshriyan at gmail.com> wrote: > > > I have run the below command but I am still able to connect from the > > internet. Do I need to add any drop traffic policy using nft? > > A single rule doesn't tell us enough. Dump the entire firewall to a > pastebin and post the link here. > > >Hi Kenneth, Please refer to my pastebin link https://paste.centos.org/view/cd55a9a6. Basically I want to allow the below mentioned ruleset on the server (CentOS Linux release 8.2.2004 (Core)) and drop the rest of the network traffic from 0.0.0.0/0 1. Allow http port 80 from 0.0.0.0/0 2. Allow https port 443 from 0.0.0.0/0 3. Allow SSH port 22 only from our office IP:- 219.91.200.59 I look forward to hearing from you. Thanks in advance. Best Regards, Kaushal
--On Friday, July 17, 2020 6:43 AM +0530 Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:> Please refer to my pastebin link https://paste.centos.org/view/cd55a9a6. > Basically I want to allow the below mentioned ruleset on the server > (CentOS Linux release 8.2.2004 (Core)) and drop the rest of the network > traffic from 0.0.0.0/0Your default input policy is accept. Change it to drop.