DEV Community

Dr-QTDS
Dr-QTDS

Posted on

How to deny access to a server from the public network?

Hello everyone,

I have a CentOS7 server with a public IP address, but I found every day there are many SSH attacks targeted at it. In the future, I also want to deploy some services on the server. But I am a new hand in Linux, to protect my server I searched the Internet, and found using VPN to connect the server is a secure way to avoid attacks.

I chose the tailscale as a VPN provider. Now I want to achieve the following objectives:

1. All services provided by the server including SSH must be accessed through the VPN.

2. Tailscale can funcion properly on the server after setting iptables.

After intalling tailscale, the filter table of my service is:

[root@hecs-9277 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 109K packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination
 249K   25M ts-input   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ts-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 161K packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain ts-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  tailscale0 *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x40000/0xff0000
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000
    0     0 DROP       all  --  *      tailscale0  100.64.0.0/10        0.0.0.0/0
    0     0 ACCEPT     all  --  *      tailscale0  0.0.0.0/0            0.0.0.0/0

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       100.81.244.76        0.0.0.0/0
    0     0 RETURN     all  --  !tailscale0 *       100.115.92.0/23      0.0.0.0/0
 9239 1268K DROP       all  --  !tailscale0 *       100.64.0.0/10        0.0.0.0/0
Enter fullscreen mode Exit fullscreen mode

As I mentioned, I am a new-hand, I run the following command just want to achieve the goal. But after that, I can't SSH to the sevice. sudo iptables -t filter -I INPUT ! -s 100.64.0.0/10 -j DROP. Luckily, I can access the server physically, so I delete the rule I have set.

Now, could anyone teach me how to achieve the goal by setting iptables or something else, please?

Thanks!

Top comments (0)