One golden rule we have in security is: first close everything then open services one by one and only to white listed IPs.

It is exactly what we are going to see together with SSH protocol.

Iptables is one of the most famous firewall on Linux. Some people say that it is too complicated and that's why ufw has been created. But still, Iptables is the only one for me .

We are going to drop all packets not coming from one specific IP and log them before dropping.

iptables -N SSH # rule name
iptables -A SSH -j LOG --log-prefix "SSH DROP: " # log with prefix
iptables -A SSH -j DROP # drop packets sent to this rule
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT # allow one IP
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 22 -j ACCEPT # allow localhost
iptables -A INPUT -p tcp --dport 22 -j SSH # send everything else to the drop rule

We can see our rule is setup properly into iptables config by running command:

iptables -L
 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  1.2.3.4              anywhere             tcp dpt:ssh
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:ssh
SSH        tcp  --  anywhere             anywhere             tcp dpt:ssh
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain SSH (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning prefix "SSH DROP: "
DROP       all  --  anywhere             anywhere

We can have a look to system logs and verify it is working well.

dmesg -T -w
 
[Mon May  3 03:18:38 2021] SSH DROP: IN=eno1 OUT= MAC=ab:cd:ef:f1:85:82:1c:e6:c7:52:07:40:08:33 SRC=46.101.18.4 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=26716 DF PROTO=TCP SPT=55360 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0

Once you have checked that everything is running as expected, you can reboot your server and you will osberve that the 'SSH' rule has been deleted. Why ? Well by default iptables rules are not persistent after a reboot. One package is dedicated to reload your rule after each reboot: iptables-persistent

dpkg --list | grep iptables
ii  iptables                          1.8.2-4                           amd64        administration tools for packet filtering and NAT
ii  iptables-persistent               1.0.11+deb10u1                    all          boot-time loader for netfilter rules, iptables plugin