Re: [PLUG] blocking ports using iptables

Sonny To on 23 Aug 2007 14:35:34 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] blocking ports using iptables

From: "Sonny To" <son.c.to@gmail.com>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: Re: [PLUG] blocking ports using iptables

Date: Thu, 23 Aug 2007 10:35:29 -0400

Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PPM0bbAguLlRdfHE5FRo7PsROf+pUM4K3FN8FKwqXHZAsfs4LWCvgRcuVNLAo5YQ3M9uJcSaCDNfl6Jr17TjRWBUWxUITcRUYUZIBSB3M3vxWvOfptews4tjT7y17g8YtjcVBNuEdsYcY/2mW0MJnJixH+QBcNiSnZuzJMZWkfo=

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

Dan, that was it. thanks a lot! for the benefit of anyone who might be trying to open port 22 and 80 for ssh and http, but block everything else here's the complete iptables rule iptables -A INPUT -j ACCEPT -p tcp --destination-port 22 -i ppp0 iptables -A INPUT -j ACCEPT -p tcp --destination-port 80 -i ppp0 iptables -A INPUT -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED -i ppp0 iptables -A INPUT -j DROP -p tcp -i ppp0 order matters because the chain is matched from top down. ppp0 is the external interface (adsl pppoe) On 8/23/07, Dan Widyono <dan@widyono.net> wrote: > On Thu, Aug 23, 2007 at 12:52:29AM -0400, Sonny To wrote: > > iptables -A INPUT -j ACCEPT -p tcp --destination-port 22 -i ppp0 > > iptables -A INPUT -j ACCEPT -p tcp --destination-port 80 -i ppp0 > > iptables -A INPUT -j DROP -p tcp -i ppp0 > > > this rule is saying, drop everything coming in from ppp0 except on > > port 22 & 80. computers on the LAN can connect out but the firewall > > cannot connect out. > > When you SSH outbound, you're coming from a random high port, let's say 32768 > for this explanation. When the sshd on the outside responds, it's replying > to port 32768. You have to allow for that as well coming in, using > --source-port 22 and state ESTABLISHED,RELATED. It's easier but broader (and > therefore perhaps less secure) to have one rule to just allow all incoming > ESTABLISHED,RELATED packets. Saves typing. > > Dan W. > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] blocking ports using iptables
From: "Sonny To" <son.c.to@gmail.com>

Re: [PLUG] blocking ports using iptables
From: Dan Widyono <dan@widyono.net>

Prev by Date: Re: [PLUG] Why isn't vmware free anymore?

Next by Date: Re: [PLUG] Why isn't vmware free anymore?

Previous by thread: Re: [PLUG] blocking ports using iptables

Next by thread: Re: [PLUG] blocking ports using iptables

Index(es):

Date

Thread