BestHub
Sign in
Information Security 4 min read

Restrict SSH Access on Linux with iptables: IP‑Based Rules and Script

This guide shows how to secure a Linux server by using iptables to block all SSH traffic on port 22 and then selectively allow connections from specific IP addresses or subnets through a reusable shell script.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Restrict SSH Access on Linux with iptables: IP‑Based Rules and Script

Linux servers accept SSH connections on port 22 by default, which can be a security risk. The article demonstrates how to tighten access by creating iptables rules that first drop all SSH traffic and then whitelist particular IP ranges or subnets.

Core iptables commands

iptables -I INPUT -p tcp --dport 22 -j DROP -m comment --comment "ssh"
# Allow a specific IP range
iptables -I INPUT -p tcp -m iprange --src-range 172.18.163.227-172.18.163.232 --dport 22 -j ACCEPT -m comment --comment "ssh"

# Allow an entire subnet
iptables -I INPUT -p tcp -s 10.99.193.0/24 --dport 22 -j ACCEPT -m comment --comment "ssh"

The rules operate on the filter table's INPUT chain, and the -I option inserts them at the top; therefore the DROP rule must be the first entry to ensure it takes effect before any ACCEPT rules.

Viewing and removing rules

To list the inserted rules with line numbers and the "ssh" comment:

iptables -t filter -nvL --line-number | grep ssh

To delete a rule, specify the table, chain, and line number (e.g., delete rule number 3): iptables -t filter -D INPUT 3 When removing multiple rules, delete from the highest line number downward to avoid shifting line numbers.

Complete example script (iptables-myrules.sh)

#! /bin/bash
# author: xiongzaiqiren
# date: 2023-03-20
# usage: sh iptables-myrules.sh

# Allow ping (ICMP echo request)
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Default policy: drop all incoming traffic
iptables -P INPUT DROP

# Whitelist specific IPs and subnets for SSH
iptables -A INPUT -s 10.99.193.243 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.90.5.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.99.193.0/24 -p tcp --dport 22 -j ACCEPT

# List current rules with line numbers
iptables -nvL --line-numbers

# (Optional) Delete a rule, e.g., remove the first rule in the FILTER table's INPUT chain
# iptables -t filter -D INPUT 1

After modifying the rules, it is recommended to save them with iptables-save > /etc/iptables-myrules.conf for persistence across reboots.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

network securityiptablesBash script
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment