I have a CentOS7 server with a public IP address, but I found every day there are many SSH attacks targeted at it. In the future, I also want to deploy some services on the server. But I am a new hand in Linux, to protect my server I searched the Internet, and found using VPN to connect the server is a secure way to avoid attacks.
I chose the tailscale as a VPN provider. Now I want to achieve the following objectives:
1. All services provided by the server including SSH must be accessed through the VPN.
2. Tailscale can funcion properly on the server after setting iptables.
After intalling tailscale, the filter table of my service is:
[root@hecs-9277 ~]# iptables -nvL Chain INPUT (policy ACCEPT 109K packets, 11M bytes) pkts bytes target prot opt in out source destination 249K 25M ts-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ts-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 161K packets, 23M bytes) pkts bytes target prot opt in out source destination Chain ts-forward (1 references) pkts bytes target prot opt in out source destination 0 0 MARK all -- tailscale0 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x40000/0xff0000 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x40000/0xff0000 0 0 DROP all -- * tailscale0 100.64.0.0/10 0.0.0.0/0 0 0 ACCEPT all -- * tailscale0 0.0.0.0/0 0.0.0.0/0 Chain ts-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 100.81.244.76 0.0.0.0/0 0 0 RETURN all -- !tailscale0 * 100.115.92.0/23 0.0.0.0/0 9239 1268K DROP all -- !tailscale0 * 100.64.0.0/10 0.0.0.0/0
As I mentioned, I am a new-hand, I run the following command just want to achieve the goal. But after that, I can't SSH to the sevice.
sudo iptables -t filter -I INPUT ! -s 100.64.0.0/10 -j DROP. Luckily, I can access the server physically, so I delete the rule I have set.
Now, could anyone teach me how to achieve the goal by setting iptables or something else, please?