Pritesh Ugrankar:
Hi, I have a question on iptables. Let us say I have two servers - Server A (IP Address 172.17.8.9) and Server B (IP Address 172.17.8.10). Let us say, I put this rule in Server A:
iptables -A OUTPUT -p tcp -d 172.17.8.10 --dport 22 -j ACCEPT
and
iptables -A OUTPUT -p tcp --dport 22 -j DROP
So the above command lets me do an ssh connection with server B and NOT with any other server.
Then after a few hours/days/weeks, someone puts this rule on Server B.
iptables -A INPUT -p tcp -s 172.17.8.9 --dport 22 -j DROP
As soon as this rule is set, the Server B will NOT allow any ssh connection from Server A. Is my understanding right?
Bruno Domingues:
In short yes serverA will still send but serverB will drop the packet. I would suggest using firewall-cmd but it’s your preference
Alistair Mackay:
firewall-cmd is only present by default on Red Hat family distros.
iptables works everywhere.
Pritesh Ugrankar:
@Alistair Mackay please note, the way iptables are explained in the course, it’s the best one I’ve ever seen till date. Fantastic course!!
Patryk Dąbrowski:
I can’t see iptables explained in LFCS course? Is it there?
Pritesh Ugrankar:
@Patryk Dąbrowski sorry it is in the linux basics course.
Alistair Mackay:
LFCS is primarily targeted at Red Hat Linux, hence they discuss firewall-cmd
Alistair Mackay:
Also have a read of this
https://kodekloud.com/blog/should-i-learn-ubuntu-or-red-hat-enterprise-linux-rhel/
Pritesh Ugrankar:
@Bruno Domingues and @Alistair Mackay is there a way I can stop access to ssh or https etc in case non-standard ports are used? For example, instead of saying
iptables -A INPUT -p tcp -s 172.17.8.9 --dport 22 -j DROP
Is there a way to create a rule saying “drop packets intended for ssh no matter which port is being used?”
Bruno Domingues:
Why don’t you just use systemctl stop sshd.service
Alistair Mackay:
Regular firewalls like iptables don’t work at the protocol level, meaning that they can’t tell whether the traffic is HTTP, SSH or whatever, so the answer to that is no.
For that, you would need to use a layer 7 firewall like a Web Application Firewall (or WAF)
Pritesh Ugrankar:
Yes maybe I quoted the wrong example @Bruno Domingues. But like Alistair said, I wanted to use service on non-standard port and just block it for a particular IP.