Find the answer to your Linux question:
Results 1 to 7 of 7
Hi, i want to deny specific ports to my Router/server from my lan with Iptables. I already set up a script for my firewall. I didint write it by my ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2006
    Location
    germany
    Posts
    4

    Internal firewall with IPtables


    Hi,
    i want to deny specific ports to my Router/server from my lan with Iptables.
    I already set up a script for my firewall. I didint write it by my own so .. I have questions about to add rules to set up an internal firewall.

    An example:
    I want to deny Port 22 (ssh) from IP 192.168.10.3 to my router/server with IP 192.168.10.1

    my rule would look like:
    Code:
    $IPTABLES -A INPUT -p all -i $LAN_IFACE -s 192.168.10.3 --dport 22 -j DROP

    Is this correct?

    thx ..i need help!!

  2. #2
    Just Joined!
    Join Date
    Sep 2005
    Location
    New delhi
    Posts
    22
    Quote Originally Posted by Trolli
    Hi,
    An example:
    I want to deny Port 22 (ssh) from IP 192.168.10.3 to my router/server with IP 192.168.10.1

    my rule would look like:
    Code:
    $IPTABLES -A INPUT -p all -i $LAN_IFACE -s 192.168.10.3 --dport 22 -j DROP
    Is this correct?
    Assuming you are running this rule on your router/server itself, this above iptable rule will work absolutely fine.

  3. #3
    Just Joined!
    Join Date
    Sep 2006
    Location
    germany
    Posts
    4
    But when I restart the Iptables... I get an error.
    Here is the output (bold the problem):

    -------------------------------------------------------------

    Removing all iptables rules: [End of flush]
    Iptables rules creation:

    Loading Firewall...

    External Interface: ppp0
    Internal Interface: eth1
    enabling forwarding...
    enabling DynamicAddr...
    clearing any existing rules and setting default policy..
    setting up firewall rules..
    setting up ICMP rules..
    setting up TCP rules..
    setting up UDP rules..
    iptables v1.3.3: Unknown arg `--dport'
    Try `iptables -h' or 'iptables --help' for more information.

    setting up FORWARD chain..
    setting up OUTPUT chain..
    setting up PREROUTING chain..
    Enabling SNAT (MASQUERADE) functionality on

    -------------------------------------------------------------

    I read several IPtables tutorials but all specify a port via "--dport"
    could you help?

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Sep 2005
    Location
    New delhi
    Posts
    22
    Quote Originally Posted by amitsharma_26
    Assuming you are running this rule on your router/server itself, this above iptable rule will work absolutely fine.
    Code:
    $IPTABLES -A INPUT -p all -i $LAN_IFACE -s 192.168.10.3 --dport 22 -j DROP
    Somehow i did'nt noticed that, you got to specify "-p tcp " or "-p udp" for --dport to work. With -p ALL it will not work. Kindly correct that. And in your rule, instead of ALL, please mention tcp.

  6. #5
    Just Joined!
    Join Date
    Sep 2006
    Location
    germany
    Posts
    4
    First of all thx amitsharma_26
    the iptables restart worked without errors now.

    I testet it with port 80 to test if the rule works (i didint want to lose my ssh remote). But it didnt worked at all. I could reach my apache if nothing was set!!?

    could be that other rules "overrule" my new rule?
    here is the "hopefully" the hole section for internal traffic:
    Code:
    # 
    # Rules for special networks not part of the Internet
    #
    
    $IPTABLES -A INPUT -p all -i $LO_IFACE -j ACCEPT
    $IPTABLES -A INPUT -p all -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
    $IPTABLES -A INPUT -p all -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #my new rule
    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s 192.168.10.2 --dport 80 -j DROP
    ....please help!
    greetz to india from germany

  7. #6
    Just Joined!
    Join Date
    Sep 2005
    Location
    New delhi
    Posts
    22
    With No default policy for any chain as DROP, you got to specify the DROP rules above the ACCEPT ones & that is the fault in your case. Put the new rule, i.e.
    Code:
    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s 192.168.10.2 --dport 80 -j DROP
    above the all ACCEPT rules & it will work like a charm.

  8. #7
    Just Joined!
    Join Date
    Sep 2006
    Location
    germany
    Posts
    4

    Lightbulb

    I learned alot.
    It works like a charm ... thx dude

    greetz again
    trolli

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •