# Using Iptables isn't the most efficient way of doing this but I will
# share some useful rules to prevent unwanted connections efficiently
# and effectively.
# With Iptables, the raw chain is the earliest you can block traffic.
# Pairing this with the PREROUTING chain can be effective.
# Blocking your SSH port from outside connections except for your own ip
# is as easy as follows
# This accepts your IP address and allows for the next rule to
# be added correctly
iptables -t raw -A PREROUTING -p tcp --cstate NEW,ESTABLISED -s YOUR_IP --dport 22 --comment "SSH Whitelist" -j ACCEPT
# This is the rule that blocks all other SSH connections outsite of
# your own IP address, if you have not executed the command above
# your server will not allow you to connect.
iptables -t raw -A PREROUTING -p tcp --cstate NEW,RELATED,ESTABLISED --dport 22 --comment "SSH Blacklist" -j DROP
# If you have done this correctly, you shouldn't be able to connect
# to ssh unless you are using the IP provided in the first iptable.
# BPF filters can also be used in order to make packet specific filters
# here is an example.
iptables -t raw -A PREROUTING -p udp --dport 53 -m bpf --bytecode "6,40 0 0 12,21 0 3 2048,48 0 0 23,21 0 1 17,6 0 0 65535,6 0 0 0," -j DROP
# This rule contains byte code which translates to "ip and udp"
# This basically means if the connection contains an ip and
# is connecting via udp, block it.
# You can get very specific with this. Here is an example
# if udp and port 53 and len <= 512 and host is host.
# This is a very intricate way to block connection but shouldn't be
# used unless you are aware of how to use it.
# For more info about these subjects visit:
# https://biot.com/capstats/bpf.html
# https://linux.die.net/man/8/iptables