Will using ACCEPT then DROP for a specific port/ip couple allow the ip but nothing else on that port?

iptables

Solution 1:

While this will work, it is not best practice. Instead of allowing everything and only dropping specific things, it is best practice to drop everything, and then only allow what you actually want to go through.

A 'normal' IP table ruleset usually begins like this:

# Flush rules
iptables -F

# Policy drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Permit loopback device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Permit new outgoing connections, and packets that belong to
# an existing connection. You might actually not want to allow
# all new connections from the inside if you want to restrict 
# this, you will have to allow DNS, updates, etc.. manually
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Same for input
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Custom rules
# ...
iptables -A INPUT -p tcp --dport 8080 -s 5.35.252.105 -j ACCEPT

Also, when setting up a new firewall, do not automatically run the script, or make the changes permanent. This way, if you mess up, a reboot of the server will give you connectivity back.

Solution 2:

Your rules are correct (in case you fix the syntax error in the shell script, mentioned in the previous comment) for IPv4. For IPv6, your machine is likely completely open.

Tips for the future:

  • Preventing lock out: If you write your rules in iptables-save style directly, you may love the iptables-apply command which restores your previous rules in case the new ones will lock you out.

  • Making rules persistent: On ubuntu, there should be the iptables-persistent package to make sure your rules survive a reboot. Just set up your rules and go apt-get install iptables-persistent and follow the interactive dialogue.

  • Improving style and security: mzhaase gave a very nice tutorial how to write whitelisting rules.

Related

Dovecot - plus sign in mailbox name
AWS CLI Elastic IP, IPv6
Sendmail Configuration to not deliver mail to local machine
Switching authoritative nameservers - how do you set the TTL?
Can I change a live SQL Database from Autogrow safely?
Will upgrading to Lion boost performance and responsiveness?
Deleting a partition in Disk Utility fails. (Error: -69879)
Is there any free/paid Windows emulator for Mac OS X?
Badge count for number of items in a folder on the Dock?
How do I manage locations for the Reminders iPhone app?
Dual boot Linux and Lion on FileVault 2 disk
How can I add an email signature in my iPhone Gmail app?