Find the answer to your Linux question:
Results 1 to 6 of 6
Hello all. I am trying to write a very basic iptables firewall for my router. All I want is to block all incoming traffic to port 21 of my router, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2009
    Posts
    3

    IPTables help - Block all port 21 incoming traffic


    Hello all.
    I am trying to write a very basic iptables firewall for my router.

    All I want is to block all incoming traffic to port 21 of my router, with a couple of exceptions based on ip address. I have cobbled together the following script, but it just locks me out totally. Can you help me at all?
    Thanks
    PHP Code:
    iptables -

    iptables 
    -P OUTPUT ACCEPT 
    iptables 
    -P FORWARD ACCEPT 
    iptables 
    -P INPUT ACCEPT 

    iptables 
    -I INPUT -p tcp --dport 21 -j DROP 
    iptables 
    -A INPUT -i lo -j ACCEPT 
    iptables 
    -A OUTPUT -o lo -j ACCEPT 
    iptables 
    -A INPUT -p tcp -s xx.xxx.xxx.xxx--dport 21 -m state --state NEW -j ACCEPT 
    iptables 
    -A INPUT -p tcp -s xxx.xxx.xxx.xx--dport 21 -m state --state NEW -j ACCEPT 

  2. #2
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    Not to tell you how you should do it, but I think it is best practice to disable everything, and only open up ports for the services you need running. That way you don't have to muck around with disabling things. It will be a lot easier to maintain in the long run. That being said, you will need to also allow them with state Established,Related I think.

  3. #3
    Just Joined!
    Join Date
    Aug 2009
    Posts
    3
    You are absolutly right of course, but not sure how much simpler it is as I only have a route in over port 21 and ports 80 and 8080 ?

    I am open to advice, the key is I need to know how to do it in the first place, and it is baffleing me!!!

  4. #4
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,756
    Iptables HowTo (Many more to choose from)

    Code:
    iptables -F <= Flush all rules
    
    iptables -P OUTPUT ACCEPT 
    iptables -P FORWARD ACCEPT 
    iptables -P INPUT ACCEPT <= Set default on INPUT rule to accept. This is only used if NO other rules in the chain match.
    
    iptables -I INPUT -p tcp --dport 21 -j DROP <= DROP *ALL* connections destined for port 21 (!?!?!?)
    iptables -A INPUT -i lo -j ACCEPT 
    iptables -A OUTPUT -o lo -j ACCEPT 
    iptables -A INPUT -p tcp -s xx.xxx.xxx.xxx--dport 21 -m state --state NEW -j ACCEPT 
    iptables -A INPUT -p tcp -s xxx.xxx.xxx.xx--dport 21 -m state --state NEW -j ACCEPT
    Rule #1: ORDER MATTERS. Read the many tutorials. Rules are processed in order. If you look at your resulting rules, the first rule is drop all port 21 connections. The accept rule is never even used.

  5. #5
    Just Joined!
    Join Date
    Aug 2009
    Posts
    3
    Ah that makes sense.
    I have looked through the tutorials and have come to the conclusion that I do indeed want to block all incoming traffic except for traffic from 2 IP addresses.
    I am trying the following script, but it just locks me out again

    # Flush all chains
    iptables --flush

    # Allow unlimited traffic on the loopback interfac

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    # Set default policies
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT;

    # Previously initiated and accepted exchanges bypass rule checking
    # Allow unlimited outbound traffic
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    # Allow Office
    iptables -A INPUT -p tcp -s XXX -m state --state NEW -j ACCEPT

    # Drop all other traffic
    iptables -A INPUT -j DROP

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Your source address are you sure that it is correct?
    How are you connecting to the box? Telnet/SSH/FTP?

    You don't give enough information about the source address except '-s XXX' which could be the problem. Ensure that this address matches the system's ip address that you are trying to connect from. If you are using DHCP where you are there could be more issues.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •