Sometimes we want to restricting ssh connection just from our own network to prevent abusives login.
this is how to do it with iptables:
# iptables -F # iptables -N SSHD # iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s 1.2.3.4/24 -j RETURN # iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s 5.6.7.8/24 -j RETURN # iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s a.b.c.d/24 -j RETURN # iptables -A SSHD -j REJECT --reject-with icmp-host-prohibited # iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD
All connection, except from our network we’ve defined in iptables will be reject with icmp-host-prohibited
# iptables -nvL
Chain INPUT (policy ACCEPT 934K packets, 529M bytes)
pkts bytes target prot opt in out source destination
3252 207K SSHD tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain SSHD (1 references)
pkts bytes target prot opt in out source destination
717 35832 RETURN all -- * * 1.2.3.4/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
2535 171K RETURN all -- * * 5.6.7.8/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 RETURN all -- * * a.b.c.d/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited