How can you remove the “any any” rule for ssh in iptables?












0














I try to reduce the allowed connections for ssh via iptables/firewall-cmd.



When I list the rules with "iptables -L" it shows me the configured accepted IPs but at the end I have this "any any" rule for ssh?!



It seems like I cant remove it. Is this a default which will be overwritten by my rules or how can I remove it?



iptables -L 



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

OUTPUT_direct  all  --  anywhere             anywhere



Chain FORWARD_IN_ZONES (1 references)

target     prot opt source               destination

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_IN_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_OUT_ZONES (1 references)

target     prot opt source               destination

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_OUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_direct (1 references)

target     prot opt source               destination



Chain FWDI_public (3 references)

target     prot opt source               destination

FWDI_public_log  all  --  anywhere             anywhere

FWDI_public_deny  all  --  anywhere             anywhere

FWDI_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain FWDI_public_allow (1 references)

target     prot opt source               destination



Chain FWDI_public_deny (1 references)

target     prot opt source               destination



Chain FWDI_public_log (1 references)

target     prot opt source               destination



Chain FWDO_public (3 references)

target     prot opt source               destination

FWDO_public_log  all  --  anywhere             anywhere

FWDO_public_deny  all  --  anywhere             anywhere

FWDO_public_allow  all  --  anywhere             anywhere



Chain FWDO_public_allow (1 references)

target     prot opt source               destination



Chain FWDO_public_deny (1 references)

target     prot opt source               destination



Chain FWDO_public_log (1 references)

target     prot opt source               destination



Chain INPUT_ZONES (1 references)

target     prot opt source               destination

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]



Chain INPUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain INPUT_direct (1 references)

target     prot opt source               destination



Chain IN_public (3 references)

target     prot opt source               destination

IN_public_log  all  --  anywhere             anywhere

IN_public_deny  all  --  anywhere             anywhere

IN_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain IN_public_allow (1 references)

target     prot opt source               destination

ACCEPT     tcp  --  <MYIP>         anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>      anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>       anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW



Chain IN_public_deny (1 references)

target     prot opt source               destination



Chain IN_public_log (1 references)

target     prot opt source               destination



Chain OUTPUT_direct (1 references)

target     prot opt source               destination


firewall-cmd --list-all-zones:



block

  target: %%REJECT%%

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





dmz

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





drop

  target: DROP

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





external

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





home

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





internal

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept



trusted

  target: ACCEPT

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





work

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:


firewall-cmd --list-all:



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept





rhel iptables firewall firewalld







share|improve this question
























  • CodingMonkey. It seems you have multiple zones active and your firewall is managed by firewalld. Can you show the output of firewall-cmd --list-all-zones and firewall-cmd --list-all output?
    – Valentin Bajrami
    Dec 10 at 10:55










  • @ValentinBajrami Thanks for the reply, I've added the firewall-cmd output
    – CodingMonkey
    Dec 10 at 13:49










  • CodingMonkey, The problem is that your rich rules have accept policy only and no drop rule there. So those rich rules that accept connections aren't much helping. If you want to drop the rest of ssh connections you can use something like: firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=0.0.0.0 port port=22 protocol=tcp drop' Also your public zone has interface ens161 attached to it so this one will have precedence! If you deny ssh access here it means you deny it for all other zones.
    – Valentin Bajrami
    Dec 10 at 14:10












  • @ValentinBajrami Isnt DROP all -- anywhere anywhere ctstate INVALID and REJECT all -- anywhere anywhere reject-with icmp-host-prohibited blocking any non configured connection? I managed to clear the "any any" rule btw, ssh was added as a service, I removed it via firewall-cmd --zone=public --remove-service=ssh --permanent
    – CodingMonkey
    Dec 11 at 16:22


















0














I try to reduce the allowed connections for ssh via iptables/firewall-cmd.



When I list the rules with "iptables -L" it shows me the configured accepted IPs but at the end I have this "any any" rule for ssh?!



It seems like I cant remove it. Is this a default which will be overwritten by my rules or how can I remove it?



iptables -L 



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

OUTPUT_direct  all  --  anywhere             anywhere



Chain FORWARD_IN_ZONES (1 references)

target     prot opt source               destination

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_IN_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_OUT_ZONES (1 references)

target     prot opt source               destination

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_OUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_direct (1 references)

target     prot opt source               destination



Chain FWDI_public (3 references)

target     prot opt source               destination

FWDI_public_log  all  --  anywhere             anywhere

FWDI_public_deny  all  --  anywhere             anywhere

FWDI_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain FWDI_public_allow (1 references)

target     prot opt source               destination



Chain FWDI_public_deny (1 references)

target     prot opt source               destination



Chain FWDI_public_log (1 references)

target     prot opt source               destination



Chain FWDO_public (3 references)

target     prot opt source               destination

FWDO_public_log  all  --  anywhere             anywhere

FWDO_public_deny  all  --  anywhere             anywhere

FWDO_public_allow  all  --  anywhere             anywhere



Chain FWDO_public_allow (1 references)

target     prot opt source               destination



Chain FWDO_public_deny (1 references)

target     prot opt source               destination



Chain FWDO_public_log (1 references)

target     prot opt source               destination



Chain INPUT_ZONES (1 references)

target     prot opt source               destination

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]



Chain INPUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain INPUT_direct (1 references)

target     prot opt source               destination



Chain IN_public (3 references)

target     prot opt source               destination

IN_public_log  all  --  anywhere             anywhere

IN_public_deny  all  --  anywhere             anywhere

IN_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain IN_public_allow (1 references)

target     prot opt source               destination

ACCEPT     tcp  --  <MYIP>         anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>      anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>       anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW



Chain IN_public_deny (1 references)

target     prot opt source               destination



Chain IN_public_log (1 references)

target     prot opt source               destination



Chain OUTPUT_direct (1 references)

target     prot opt source               destination


firewall-cmd --list-all-zones:



block

  target: %%REJECT%%

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





dmz

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





drop

  target: DROP

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





external

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





home

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





internal

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept



trusted

  target: ACCEPT

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





work

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:


firewall-cmd --list-all:



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept





rhel iptables firewall firewalld







share|improve this question
























  • CodingMonkey. It seems you have multiple zones active and your firewall is managed by firewalld. Can you show the output of firewall-cmd --list-all-zones and firewall-cmd --list-all output?
    – Valentin Bajrami
    Dec 10 at 10:55










  • @ValentinBajrami Thanks for the reply, I've added the firewall-cmd output
    – CodingMonkey
    Dec 10 at 13:49










  • CodingMonkey, The problem is that your rich rules have accept policy only and no drop rule there. So those rich rules that accept connections aren't much helping. If you want to drop the rest of ssh connections you can use something like: firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=0.0.0.0 port port=22 protocol=tcp drop' Also your public zone has interface ens161 attached to it so this one will have precedence! If you deny ssh access here it means you deny it for all other zones.
    – Valentin Bajrami
    Dec 10 at 14:10












  • @ValentinBajrami Isnt DROP all -- anywhere anywhere ctstate INVALID and REJECT all -- anywhere anywhere reject-with icmp-host-prohibited blocking any non configured connection? I managed to clear the "any any" rule btw, ssh was added as a service, I removed it via firewall-cmd --zone=public --remove-service=ssh --permanent
    – CodingMonkey
    Dec 11 at 16:22
















0












0








0







I try to reduce the allowed connections for ssh via iptables/firewall-cmd.



When I list the rules with "iptables -L" it shows me the configured accepted IPs but at the end I have this "any any" rule for ssh?!



It seems like I cant remove it. Is this a default which will be overwritten by my rules or how can I remove it?



iptables -L 



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

OUTPUT_direct  all  --  anywhere             anywhere



Chain FORWARD_IN_ZONES (1 references)

target     prot opt source               destination

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_IN_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_OUT_ZONES (1 references)

target     prot opt source               destination

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_OUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_direct (1 references)

target     prot opt source               destination



Chain FWDI_public (3 references)

target     prot opt source               destination

FWDI_public_log  all  --  anywhere             anywhere

FWDI_public_deny  all  --  anywhere             anywhere

FWDI_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain FWDI_public_allow (1 references)

target     prot opt source               destination



Chain FWDI_public_deny (1 references)

target     prot opt source               destination



Chain FWDI_public_log (1 references)

target     prot opt source               destination



Chain FWDO_public (3 references)

target     prot opt source               destination

FWDO_public_log  all  --  anywhere             anywhere

FWDO_public_deny  all  --  anywhere             anywhere

FWDO_public_allow  all  --  anywhere             anywhere



Chain FWDO_public_allow (1 references)

target     prot opt source               destination



Chain FWDO_public_deny (1 references)

target     prot opt source               destination



Chain FWDO_public_log (1 references)

target     prot opt source               destination



Chain INPUT_ZONES (1 references)

target     prot opt source               destination

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]



Chain INPUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain INPUT_direct (1 references)

target     prot opt source               destination



Chain IN_public (3 references)

target     prot opt source               destination

IN_public_log  all  --  anywhere             anywhere

IN_public_deny  all  --  anywhere             anywhere

IN_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain IN_public_allow (1 references)

target     prot opt source               destination

ACCEPT     tcp  --  <MYIP>         anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>      anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>       anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW



Chain IN_public_deny (1 references)

target     prot opt source               destination



Chain IN_public_log (1 references)

target     prot opt source               destination



Chain OUTPUT_direct (1 references)

target     prot opt source               destination


firewall-cmd --list-all-zones:



block

  target: %%REJECT%%

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





dmz

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





drop

  target: DROP

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





external

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





home

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





internal

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept



trusted

  target: ACCEPT

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





work

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:


firewall-cmd --list-all:



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept





rhel iptables firewall firewalld







share|improve this question















I try to reduce the allowed connections for ssh via iptables/firewall-cmd.



When I list the rules with "iptables -L" it shows me the configured accepted IPs but at the end I have this "any any" rule for ssh?!



It seems like I cant remove it. Is this a default which will be overwritten by my rules or how can I remove it?



iptables -L 



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

OUTPUT_direct  all  --  anywhere             anywhere



Chain FORWARD_IN_ZONES (1 references)

target     prot opt source               destination

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]

FWDI_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_IN_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_OUT_ZONES (1 references)

target     prot opt source               destination

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]

FWDO_public  all  --  anywhere             anywhere            [goto]



Chain FORWARD_OUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain FORWARD_direct (1 references)

target     prot opt source               destination



Chain FWDI_public (3 references)

target     prot opt source               destination

FWDI_public_log  all  --  anywhere             anywhere

FWDI_public_deny  all  --  anywhere             anywhere

FWDI_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain FWDI_public_allow (1 references)

target     prot opt source               destination



Chain FWDI_public_deny (1 references)

target     prot opt source               destination



Chain FWDI_public_log (1 references)

target     prot opt source               destination



Chain FWDO_public (3 references)

target     prot opt source               destination

FWDO_public_log  all  --  anywhere             anywhere

FWDO_public_deny  all  --  anywhere             anywhere

FWDO_public_allow  all  --  anywhere             anywhere



Chain FWDO_public_allow (1 references)

target     prot opt source               destination



Chain FWDO_public_deny (1 references)

target     prot opt source               destination



Chain FWDO_public_log (1 references)

target     prot opt source               destination



Chain INPUT_ZONES (1 references)

target     prot opt source               destination

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]

IN_public  all  --  anywhere             anywhere            [goto]



Chain INPUT_ZONES_SOURCE (1 references)

target     prot opt source               destination



Chain INPUT_direct (1 references)

target     prot opt source               destination



Chain IN_public (3 references)

target     prot opt source               destination

IN_public_log  all  --  anywhere             anywhere

IN_public_deny  all  --  anywhere             anywhere

IN_public_allow  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere



Chain IN_public_allow (1 references)

target     prot opt source               destination

ACCEPT     tcp  --  <MYIP>         anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>      anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  <MYIP>       anywhere             tcp dpt:ssh ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW



Chain IN_public_deny (1 references)

target     prot opt source               destination



Chain IN_public_log (1 references)

target     prot opt source               destination



Chain OUTPUT_direct (1 references)

target     prot opt source               destination


firewall-cmd --list-all-zones:



block

  target: %%REJECT%%

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





dmz

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





drop

  target: DROP

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





external

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





home

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





internal

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh mdns samba-client dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept



trusted

  target: ACCEPT

  icmp-block-inversion: no

  interfaces:

  sources:

  services:

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





work

  target: default

  icmp-block-inversion: no

  interfaces:

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:


firewall-cmd --list-all:



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens161

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept

        rule family="ipv4" source address="<MYIP>" port port="22" protocol="tcp" accept





rhel iptables firewall firewalld




rhel iptables firewall firewalld






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 10 at 13:48

























asked Dec 10 at 10:30









CodingMonkey

61




61












  • CodingMonkey. It seems you have multiple zones active and your firewall is managed by firewalld. Can you show the output of firewall-cmd --list-all-zones and firewall-cmd --list-all output?
    – Valentin Bajrami
    Dec 10 at 10:55










  • @ValentinBajrami Thanks for the reply, I've added the firewall-cmd output
    – CodingMonkey
    Dec 10 at 13:49










  • CodingMonkey, The problem is that your rich rules have accept policy only and no drop rule there. So those rich rules that accept connections aren't much helping. If you want to drop the rest of ssh connections you can use something like: firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=0.0.0.0 port port=22 protocol=tcp drop' Also your public zone has interface ens161 attached to it so this one will have precedence! If you deny ssh access here it means you deny it for all other zones.
    – Valentin Bajrami
    Dec 10 at 14:10












  • @ValentinBajrami Isnt DROP all -- anywhere anywhere ctstate INVALID and REJECT all -- anywhere anywhere reject-with icmp-host-prohibited blocking any non configured connection? I managed to clear the "any any" rule btw, ssh was added as a service, I removed it via firewall-cmd --zone=public --remove-service=ssh --permanent
    – CodingMonkey
    Dec 11 at 16:22




















  • CodingMonkey. It seems you have multiple zones active and your firewall is managed by firewalld. Can you show the output of firewall-cmd --list-all-zones and firewall-cmd --list-all output?
    – Valentin Bajrami
    Dec 10 at 10:55










  • @ValentinBajrami Thanks for the reply, I've added the firewall-cmd output
    – CodingMonkey
    Dec 10 at 13:49










  • CodingMonkey, The problem is that your rich rules have accept policy only and no drop rule there. So those rich rules that accept connections aren't much helping. If you want to drop the rest of ssh connections you can use something like: firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=0.0.0.0 port port=22 protocol=tcp drop' Also your public zone has interface ens161 attached to it so this one will have precedence! If you deny ssh access here it means you deny it for all other zones.
    – Valentin Bajrami
    Dec 10 at 14:10












  • @ValentinBajrami Isnt DROP all -- anywhere anywhere ctstate INVALID and REJECT all -- anywhere anywhere reject-with icmp-host-prohibited blocking any non configured connection? I managed to clear the "any any" rule btw, ssh was added as a service, I removed it via firewall-cmd --zone=public --remove-service=ssh --permanent
    – CodingMonkey
    Dec 11 at 16:22


















CodingMonkey. It seems you have multiple zones active and your firewall is managed by firewalld. Can you show the output of firewall-cmd --list-all-zones and firewall-cmd --list-all output?
– Valentin Bajrami
Dec 10 at 10:55




CodingMonkey. It seems you have multiple zones active and your firewall is managed by firewalld. Can you show the output of firewall-cmd --list-all-zones and firewall-cmd --list-all output?
– Valentin Bajrami
Dec 10 at 10:55












@ValentinBajrami Thanks for the reply, I've added the firewall-cmd output
– CodingMonkey
Dec 10 at 13:49




@ValentinBajrami Thanks for the reply, I've added the firewall-cmd output
– CodingMonkey
Dec 10 at 13:49












CodingMonkey, The problem is that your rich rules have accept policy only and no drop rule there. So those rich rules that accept connections aren't much helping. If you want to drop the rest of ssh connections you can use something like: firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=0.0.0.0 port port=22 protocol=tcp drop' Also your public zone has interface ens161 attached to it so this one will have precedence! If you deny ssh access here it means you deny it for all other zones.
– Valentin Bajrami
Dec 10 at 14:10






CodingMonkey, The problem is that your rich rules have accept policy only and no drop rule there. So those rich rules that accept connections aren't much helping. If you want to drop the rest of ssh connections you can use something like: firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=0.0.0.0 port port=22 protocol=tcp drop' Also your public zone has interface ens161 attached to it so this one will have precedence! If you deny ssh access here it means you deny it for all other zones.
– Valentin Bajrami
Dec 10 at 14:10














@ValentinBajrami Isnt DROP all -- anywhere anywhere ctstate INVALID and REJECT all -- anywhere anywhere reject-with icmp-host-prohibited blocking any non configured connection? I managed to clear the "any any" rule btw, ssh was added as a service, I removed it via firewall-cmd --zone=public --remove-service=ssh --permanent
– CodingMonkey
Dec 11 at 16:22






@ValentinBajrami Isnt DROP all -- anywhere anywhere ctstate INVALID and REJECT all -- anywhere anywhere reject-with icmp-host-prohibited blocking any non configured connection? I managed to clear the "any any" rule btw, ssh was added as a service, I removed it via firewall-cmd --zone=public --remove-service=ssh --permanent
– CodingMonkey
Dec 11 at 16:22

















active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487080%2fhow-can-you-remove-the-any-any-rule-for-ssh-in-iptables%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487080%2fhow-can-you-remove-the-any-any-rule-for-ssh-in-iptables%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Morgemoulin

Image
Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré...
Read more

Scott Moir

Image
Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S...
Read more

Souastre

Image
Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe...
Read more