IPTables help - Block all port 21 incoming traffic

[daverage]

Hello all.
I am trying to write a very basic iptables firewall for my router.

All I want is to block all incoming traffic to port 21 of my router, with a couple of exceptions based on ip address. I have cobbled together the following script, but it just locks me out totally. Can you help me at all?
Thanks

PHP Code:

iptables -F 

iptables -P OUTPUT ACCEPT 
iptables -P FORWARD ACCEPT 
iptables -P INPUT ACCEPT 

iptables -I INPUT -p tcp --dport 21 -j DROP 
iptables -A INPUT -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT 
iptables -A INPUT -p tcp -s xx.xxx.xxx.xxx--dport 21 -m state --state NEW -j ACCEPT 
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xx--dport 21 -m state --state NEW -j ACCEPT 


[coopstah13]

Not to tell you how you should do it, but I think it is best practice to disable everything, and only open up ports for the services you need running. That way you don't have to muck around with disabling things. It will be a lot easier to maintain in the long run. That being said, you will need to also allow them with state Established,Related I think.

[daverage]

You are absolutly right of course, but not sure how much simpler it is as I only have a route in over port 21 and ports 80 and 8080 ?

I am open to advice, the key is I need to know how to do it in the first place, and it is baffleing me!!!

[HROAdmin26]

Iptables HowTo (Many more to choose from)

Code:

iptables -F <= Flush all rules

iptables -P OUTPUT ACCEPT 
iptables -P FORWARD ACCEPT 
iptables -P INPUT ACCEPT <= Set default on INPUT rule to accept. This is only used if NO other rules in the chain match.

iptables -I INPUT -p tcp --dport 21 -j DROP <= DROP *ALL* connections destined for port 21 (!?!?!?)
iptables -A INPUT -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT 
iptables -A INPUT -p tcp -s xx.xxx.xxx.xxx--dport 21 -m state --state NEW -j ACCEPT 
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xx--dport 21 -m state --state NEW -j ACCEPT

Rule #1: ORDER MATTERS. Read the many tutorials. Rules are processed in order. If you look at your resulting rules, the first rule is drop all port 21 connections. The accept rule is never even used.

[daverage]

Ah that makes sense.
I have looked through the tutorials and have come to the conclusion that I do indeed want to block all incoming traffic except for traffic from 2 IP addresses.
I am trying the following script, but it just locks me out again

# Flush all chains
iptables --flush

# Allow unlimited traffic on the loopback interfac

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT;

# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow Office
iptables -A INPUT -p tcp -s XXX -m state --state NEW -j ACCEPT

# Drop all other traffic
iptables -A INPUT -j DROP

[Lazydog]

Your source address are you sure that it is correct?
How are you connecting to the box? Telnet/SSH/FTP?

You don't give enough information about the source address except '-s XXX' which could be the problem. Ensure that this address matches the system's ip address that you are trying to connect from. If you are using DHCP where you are there could be more issues.