Find the answer to your Linux question:
Results 1 to 7 of 7
Hello, I'm new on this forum. And I'm pretty new to Linux as well. I was hoping that someone could either show me or point me in the general direction ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2010
    Posts
    2

    Question Closing / Blocking Ports with IPTABLES


    Hello, I'm new on this forum. And I'm pretty new to Linux as well.

    I was hoping that someone could either show me or point me in the general direction with what i'm trying to get accomplished.

    I'd like to block all ports for TCP traffic with the exception of a few ports.

    Lets say the ports I needed open are 40001-40003, 40010, 40020-40030 and 8080.

    I think I understand how to allow traffic to these ports for instance:

    Code:
    iptables -I INPUT 1 -p tcp --dport 40020:40030 -j ACCEPT
    This would allow tcp traffic on ports 40020 through 40030

    However, is there an easy way to block all the other ports on the server? Or what format would I use to block traffic on all the other ports besides the ones I wanted open?

    Thanks in advance...

  2. #2
    Linux Enthusiast
    Join Date
    Jul 2005
    Location
    Maryland
    Posts
    522
    Start with dropping everything:

    Code:
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    And then allow only what you need.

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Look at this TUTORIAL for Multi Port and then you can look around it for other things.
    Do start out as stated above and DROP everything only allowing in what you need.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Linux User
    Join Date
    Nov 2009
    Location
    France
    Posts
    292
    Independantly of the multiport aspect, if you start by blocking everything, you'll be locked out from your own machine. You'd better use a default (-P) DROP policy at the end of your config.
    0 + 1 = 1 != 2 <> 3 != 4 ...
    Until the camel can pass though the eye of the needle.

  5. #5
    Just Joined!
    Join Date
    May 2010
    Posts
    2
    Thanks for the replies everyone. So here is what I have in my IPTABLES file:

    Code:
    *filter
    :INPUT ACCEPT [192:290022]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [455:321181]
    -A INPUT -p tcp -m tcp --dport 4406 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 40010 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 40002 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 40020:40030 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 40003 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 40001 -j ACCEPT 
    COMMIT
    Note: I'm using port 40010 for SSH and 40002/3 for http(s) and the other ports for some other application reasons.

    Now from my workstation I do :
    Code:
    sudo nmap -sS -p 0-65535 <SERVER>
    I get:
    Code:
    Starting Nmap 5.00 at 2010-05-17 09:59 PDT
    Interesting ports on 10.13.206.220:
    Not shown: 65524 closed ports
    PORT      STATE    SERVICE
    0/tcp     filtered unknown
    1011/tcp  open     unknown
    4406/tcp  open     unknown
    7937/tcp  open     nsrexecd
    7938/tcp  open     lgtomapper
    8080/tcp  open     http-proxy
    8404/tcp  open     unknown
    9918/tcp  open     unknown
    40001/tcp open     unknown
    40002/tcp open     unknown
    40003/tcp open     unknown
    40010/tcp open     unknown
    
    Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds

    Why are all those ports that are not in my iptables file showing up as open?

  6. #6
    Linux User
    Join Date
    Nov 2009
    Location
    France
    Posts
    292
    1. Your input chain seems to be open to all traffic. There must be some services you are not aware about that use the open ports nmap finds. netstat may help you find out.

    2. When I said you should use a default (-P) DROP rule at the end of the chain, I was thinking about direct use of the iptables command, in the form
    Code:
    iptables -P INPUT -j DROP
    Your config seems to be generated by the iptables-save utility, I'm not sure of that, perhaps by using some GUI tool like Webmin or some other. The default rule seems to be applied before everything else and in your case, the default rule for the INPUT chain doesn't close any port practically. So if your config script is managed by some tool, please ignore my previous post which becomes void.

    3. You would have finer control on your firewall if you take some time learning the iptables comand and script the firewall yourself.
    0 + 1 = 1 != 2 <> 3 != 4 ...
    Until the camel can pass though the eye of the needle.

  7. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Here is what your firewall should look like;

    Code:
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p tcp -m state --state NEW --dport 4406 -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW --dport 8080 -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW --dport 40001 -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW --dport 40002 -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW --dport 40003 -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW --dport 40010 -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW --dport 40020:40030 -j ACCEPT 
    COMMIT
    This is a STATEFUL firewall and it looks at the state of the connection to see if it is allowed. STATEFUL firewalls are more secure.
    Se the tutorial I have provided and read up on the topic.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •