How to Secure SSH Access on Linux with iptables: Restrict by IP

Goal: Restrict Linux server login using iptables rules

By default Linux servers allow SSH login on port 22, which is insecure. This guide shows how to limit access to specific source IPs.

Method: Create a shell script (iptables.sh) to apply the rules repeatedly.

iptables -I INPUT -p tcp --dport 22 -j DROP -m comment --comment "ssh"
# Allow a range of IPs
iptables -I INPUT -p tcp -m iprange --src-range 172.18.163.227-172.18.163.232 --dport 22 -j ACCEPT -m comment --comment "ssh"

# Allow a subnet
iptables -I INPUT -p tcp -s 10.99.193.0/24 --dport 22 -j ACCEPT -m comment --comment "ssh"

Explanation: These commands use the filter table's INPUT chain; the DROP rule must be the first rule.

To view inserted rules, run:

iptables -t filter -nvL --line-number | grep ssh

To delete a rule, use its line number, for example: iptables -t filter -D INPUT 3 When deleting, specify the filter table's INPUT chain and start from the highest line number to avoid errors.

Example script (iptables-myrules.sh) that blocks all traffic and then allows specific IPs:

#! /bin/bash
# author: xiongzaiqiren
# date: 2023-03-20
# usage: sh iptables-myrules.sh
# Set server security, allow specific source IPs

# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Drop all connections
iptables -P INPUT DROP

# Allow specific IPs or ranges
iptables -A INPUT -s 10.99.193.243 -p tcp -j ACCEPT
iptables -A INPUT -s 10.90.5.0/24 -p tcp -j ACCEPT
iptables -A INPUT -s 10.99.193.0/24 -p tcp -j ACCEPT

iptables -nvL --line-numbers

Remember to save the rules after changes with iptables-save > /etc/iptables-myrules.conf.