IPtables help

[suseman3]

Hi,

I'm setting up an apache cluster using ipvsadm
using a linux server as a router. My linux server
has two NIC's and I have this script

#!/bin/sh

EXTIF="eth1"
INTIF="eth0"
# Clearing any existing rules and setting default policy
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
# FWD: Allow all connections OUT and only existing and related ones IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#" Enabling SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

to make the linux server a linux router.

I want to block all the ports on the external NIC ($EXTIF) except for ports 80,443,20,21.

Can some one give me some info on how to modify this script so that I can
block all the ports except for the ones I've mentioned.

Thanks

[DOllaBillz217]

You can allow and deny in /etc/hosts.allow and /etc/hosts.deny files, but its probably best to have a iptables script in place. Go to www.netfilter.org and it will explain everything you need to know in order to complete this.

[framp]

I want to block all the ports on the external NIC ($EXTIF) except for ports 80,443,20,21.

Hm ... actually all these ports are already blocked for connections not requested from your local net. Your default rule for forwarding is DROP which is fine. So your setup is secure.
There is one issue: You accept all connections to your router

Code:

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT

which might be risky. But if you don't have any services running on your router that's OK. I suggest to remove the 4 lines if there is no strong reason for them You should have all ports closed and open only the ports which have to be open.