Recipe 2.10 Blocking Remote Access, but Permitting Local

2.10.1 Problem

You want only local users to access a TCP service; remote requests should be denied.

2.10.2 Solution

Permit connections via the loopback interface and reject all others.

For iptables :

# iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT # iptables -A INPUT -p tcp --dport service -j REJECT

For ipchains:

# ipchains -A input -p tcp -i lo --dport service -j ACCEPT # ipchains -A input -p tcp --dport service -j REJECT

Alternatively, you can single out your local IP address specifically:

For iptables:

# iptables -A INPUT -p tcp ! -s your_IP_address --dport service -j REJECT

For ipchains:

# ipchains -A input -p tcp ! -s your_IP_address --dport service -j REJECT

Depending on your shell, you might need to escape the exclamation point.

2.10.3 Discussion

The local IP address can be a network specification, of course, such as a.b.c.d/N.

You can permit an unrelated set of machines to access the service but reject everyone else, like so:

For iptables:

# iptables -A INPUT -p tcp -s IP_address_1 --dport service -j ACCEPT # iptables -A INPUT -p tcp -s IP_address_2 --dport service -j ACCEPT # iptables -A INPUT -p tcp -s IP_address_3 --dport service -j ACCEPT # iptables -P INPUT -j REJECT

For ipchains:

# ipchains -A input -p tcp -s IP_address_1 --dport service -j ACCEPT # ipchains -A input -p tcp -s IP_address_2 --dport service -j ACCEPT # ipchains -A input -p tcp -s IP_address_3 --dport service -j ACCEPT # ipchains -P input -j REJECT

2.10.4 See Also

iptables(8), ipchains(8). Chapter 3 covers diverse, non-firewall approaches to block incoming service requests.