Keith, What you have is fine and will work, but here's something that will make it faster and more maintainable: # Create an SSH Access Table iptables -N SSHACS Right before your "#Data center Local network" line, put: # Handle SSH Traffic iptables -A INPUT -p tcp --dport 22 -j SSHACS Then for each IP you want to grant SSH Access to: iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT This is faster because it won't got through each rule for non-SSH traffic. Splitting similar rules like this can be a big help in complex rule sets. HTH, Richard Wilson --------------------------------------------------------------- On 05/11/2011 07:24 PM, keith smith wrote: > > Hi, > > I'm rather new to IPTables. I've written a shell script to update and > save the IPTables on a web server that only has HTTPD, SSL, Secured > FTP, and SSH available. > > I need to be able to access the server via SSH and SFTP and want to > only allow the data center's local net and only those, by IP, that I > allow to access the box over the Internet. Port 80 and 443 should be > open to everyone. > > I'm hoping someone or a couple of people can look at what I have > written and give me some feedback. I've already locked myself out of > one server so I would like to avoid that again. > > Thanks in advance for your help! > > - - - - - - - > > #!/bin/bash > # > # iptables configuration for xxxxxxxxxxx > #------ > # Flush all current rules from iptables > iptables -F > > # Drop all forwarded packets > iptables -P FORWARD DROP > > # Set access for localhost > iptables -A INPUT -i lo -j ACCEPT > > # Port 80 for everyone > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > # Port 443 for everyone > iptables -A INPUT -p tcp --dport 443 -j ACCEPT > > # No SMTP/POP/MySql/Named ... ETC > > # Accept packets belonging to established and related connections > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > #--------------------------------------------------------------------------------------------- > # Allow SSH/FTP connections on tcp port 22 for only those we want to > FTP or SSH into the box > #--------------------------------------------------------------------------------------------- > > #Data center Local network > iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT > > #User 1 > iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > > #user 2 > iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > > #user 3 > iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > > #--------------------------------------------------------------------------------- > # - - - - Add additional consultants here and run script again - - - - - > #--------------------------------------------------------------------------------- > > # Data Center Staff from outside > iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > > #----------------------------------------------------------------------------- > # - - - - Add additional Data Center staff here and run script again > - - - - - > #----------------------------------------------------------------------------- > > > # Allow all outbound traffic > iptables -P OUTPUT ACCEPT > > # Drop everything else > iptables -P INPUT DROP > > > # Save settings > /sbin/service iptables save > > # List rules > iptables -L -v > > > ------------------------ > Keith Smith > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss