-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
This is fail2ban chain to block bots, but I strongly suggest to use ipset and not to store each network as separate rule.
On my Debian server I use netfilter-persistent with ipset plugin and fail2ban.
Works like charm!
But since policy is "ACCEPT", other ports are open.
My usual incantation and response:
# sudo iptables -A IN_public_allow -p tcp -m tcp --dport 80 -m
conntrack --ctstate NEW,UNTRACKED -j ACCEPT
iptables: No chain/target/match by that name.
What is "IN_public_allow"
I do not see chain with this name. Do you?
# sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate
...
But no open ports in spite of the output shown.
Hmm, I see 80 and 443 are open here. How did you check?
(I suggest to use multiple ports rule (multiport), btw)
I am considering moving to ufw
It is up to you. I see no reason to use ufw. At least, it doesn't support ipset:)
Also, check (using update-alternatives) if you are using iptables of nft
You may be interested in good iptables tutorial:
(section 9.8)