Results 1 to 7 of 7
Hello, I'm new on this forum. And I'm pretty new to Linux as well.
I was hoping that someone could either show me or point me in the general direction ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-14-2010 #1Just Joined!
- Join Date
- May 2010
- Posts
- 2
Closing / Blocking Ports with IPTABLES
Hello, I'm new on this forum. And I'm pretty new to Linux as well.
I was hoping that someone could either show me or point me in the general direction with what i'm trying to get accomplished.
I'd like to block all ports for TCP traffic with the exception of a few ports.
Lets say the ports I needed open are 40001-40003, 40010, 40020-40030 and 8080.
I think I understand how to allow traffic to these ports for instance:
This would allow tcp traffic on ports 40020 through 40030Code:iptables -I INPUT 1 -p tcp --dport 40020:40030 -j ACCEPT
However, is there an easy way to block all the other ports on the server? Or what format would I use to block traffic on all the other ports besides the ones I wanted open?
Thanks in advance...
- 05-15-2010 #2Linux Enthusiast
- Join Date
- Jul 2005
- Location
- Maryland
- Posts
- 522
Start with dropping everything:
And then allow only what you need.Code:*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0]
- 05-15-2010 #3Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,614
Look at this TUTORIAL for Multi Port and then you can look around it for other things.
Do start out as stated above and DROP everything only allowing in what you need.
- 05-15-2010 #4Linux User
- Join Date
- Nov 2009
- Location
- France
- Posts
- 292
Independantly of the multiport aspect, if you start by blocking everything, you'll be locked out from your own machine. You'd better use a default (-P) DROP policy at the end of your config.
0 + 1 = 1 != 2 <> 3 != 4 ...
Until the camel can pass though the eye of the needle.
- 05-17-2010 #5Just Joined!
- Join Date
- May 2010
- Posts
- 2
Thanks for the replies everyone. So here is what I have in my IPTABLES file:
Note: I'm using port 40010 for SSH and 40002/3 for http(s) and the other ports for some other application reasons.Code:*filter :INPUT ACCEPT [192:290022] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [455:321181] -A INPUT -p tcp -m tcp --dport 4406 -j ACCEPT -A INPUT -p tcp -m tcp --dport 40010 -j ACCEPT -A INPUT -p tcp -m tcp --dport 40002 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 40020:40030 -j ACCEPT -A INPUT -p tcp -m tcp --dport 40003 -j ACCEPT -A INPUT -p tcp -m tcp --dport 40001 -j ACCEPT COMMIT
Now from my workstation I do :
I get:Code:sudo nmap -sS -p 0-65535 <SERVER>
Code:Starting Nmap 5.00 at 2010-05-17 09:59 PDT Interesting ports on 10.13.206.220: Not shown: 65524 closed ports PORT STATE SERVICE 0/tcp filtered unknown 1011/tcp open unknown 4406/tcp open unknown 7937/tcp open nsrexecd 7938/tcp open lgtomapper 8080/tcp open http-proxy 8404/tcp open unknown 9918/tcp open unknown 40001/tcp open unknown 40002/tcp open unknown 40003/tcp open unknown 40010/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds
Why are all those ports that are not in my iptables file showing up as open?
- 05-17-2010 #6Linux User
- Join Date
- Nov 2009
- Location
- France
- Posts
- 292
1. Your input chain seems to be open to all traffic. There must be some services you are not aware about that use the open ports nmap finds. netstat may help you find out.
2. When I said you should use a default (-P) DROP rule at the end of the chain, I was thinking about direct use of the iptables command, in the form
Your config seems to be generated by the iptables-save utility, I'm not sure of that, perhaps by using some GUI tool like Webmin or some other. The default rule seems to be applied before everything else and in your case, the default rule for the INPUT chain doesn't close any port practically. So if your config script is managed by some tool, please ignore my previous post which becomes void.Code:iptables -P INPUT -j DROP
3. You would have finer control on your firewall if you take some time learning the iptables comand and script the firewall yourself.0 + 1 = 1 != 2 <> 3 != 4 ...
Until the camel can pass though the eye of the needle.
- 05-18-2010 #7Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,614
Here is what your firewall should look like;
This is a STATEFUL firewall and it looks at the state of the connection to see if it is allowed. STATEFUL firewalls are more secure.Code:*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 4406 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 40001 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 40002 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 40003 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 40010 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 40020:40030 -j ACCEPT COMMIT
Se the tutorial I have provided and read up on the topic.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
