Will using ACCEPT then DROP for a specific port/ip couple allow the ip but nothing else on that port?
Solution 1:
While this will work, it is not best practice. Instead of allowing everything and only dropping specific things, it is best practice to drop everything, and then only allow what you actually want to go through.
A 'normal' IP table ruleset usually begins like this:
# Flush rules
iptables -F
# Policy drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Permit loopback device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Permit new outgoing connections, and packets that belong to
# an existing connection. You might actually not want to allow
# all new connections from the inside if you want to restrict
# this, you will have to allow DNS, updates, etc.. manually
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Same for input
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Custom rules
# ...
iptables -A INPUT -p tcp --dport 8080 -s 5.35.252.105 -j ACCEPT
Also, when setting up a new firewall, do not automatically run the script, or make the changes permanent. This way, if you mess up, a reboot of the server will give you connectivity back.
Solution 2:
Your rules are correct (in case you fix the syntax error in the shell script, mentioned in the previous comment) for IPv4. For IPv6, your machine is likely completely open.
Tips for the future:
Preventing lock out: If you write your rules in
iptables-save
style directly, you may love theiptables-apply
command which restores your previous rules in case the new ones will lock you out.Making rules persistent: On ubuntu, there should be the
iptables-persistent
package to make sure your rules survive a reboot. Just set up your rules and goapt-get install iptables-persistent
and follow the interactive dialogue.Improving style and security: mzhaase gave a very nice tutorial how to write whitelisting rules.