When decommissioning servers or during security hardening, administrators often need to implement extremely restrictive firewall policies. The requirement to allow only SSH while blocking all other traffic (both inbound and outbound) is common for:

• Retired servers kept online for emergency access
• Forensic analysis of potentially compromised systems
• Security testing environments
• Temporary lockdown during migration phases

Here's the complete iptables ruleset to implement this strict policy:

# Flush all existing rules
iptables -F
iptables -X

# Set default policies to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow established SSH connections (stateful firewall)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow new SSH connections (adjust port if using non-standard)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT

# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Optional: Allow ICMP (ping) if needed
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

When applying these rules, consider these safety measures:

# 1. First test with temporary rules that auto-expire
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --name SSH -j DROP

# 2. Create a backup rule that will restore access if you get locked out
echo "iptables -A INPUT -p tcp --dport 22 -s YOUR_TRUSTED_IP -j ACCEPT" > /root/firewall_failsafe.sh
chmod +x /root/firewall_failsafe.sh

# 3. Use iptables-apply for safer rule changes
iptables-apply /etc/iptables.rules

After implementation, verify the rules are working as intended:

# Check current rules
iptables -L -v -n

# Monitor SSH connections in real-time
watch -n 1 "iptables -L INPUT -v -n | grep 'dpt:22'"

# Test outgoing connectivity (should fail)
curl -I https://google.com
ping 8.8.8.8

To make these rules persistent:

# Save rules (Debian/Ubuntu)
iptables-save > /etc/iptables.rules

# For CentOS/RHEL:
service iptables save

# Or create init script:
cat > /etc/network/if-pre-up.d/iptables <

# Allow max 3 new connections per minute from single IP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# Flush existing rules
iptables -F
iptables -X

# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow established SSH connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow new SSH connections (port 22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow DNS resolution (optional but recommended)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

# For Debian/Ubuntu:
apt install iptables-persistent
netfilter-persistent save

# For RHEL/CentOS:
service iptables save

iptables -L -v -n
iptables -L -v -n --line-numbers

# View connection attempts:
grep sshd /var/log/auth.log