Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
iptables - block all ports except 20-21

Okay, I am trying to learn iptables. I have just built a new server that will be running samba, ssh, proftpd, and possibly apache in the near future. What i would like to do is close off all unneeded ports and only allow ports needed for my listed programs. I have been reading around on different sites about the iptables, but I would have to admit that i am a bit confused about the whole thing.



Okay, so, if i wanted to block all ports except 20-21 what would i have to do?


iptables -A -INPUT -i eth0 -sport 20:21 -j ACCEPT ??


iptables -A INPUT -i eth0 -sport 1:19 -j DROP ??



Lead me in the right direction!! please


Best thing is to disable all services that are not needed. When a service doesn't listen the port is not open, so no security risk. You don't need a firewall for that at all. But just to answer that question:


# Set the default policy of the INPUT chain to DROP
iptables -P INPUT DROP
# Accept incomming TCP connections from eth0 on port 20 and 21
iptables -A INPUT -i eth0 -p tcp --dport 20:21 -j ACCEPT


'--dport' means destination port which is the port on your side. '--sport' (source port) would be the port on the client side.


I created an account just for this topic because I was searching for a similar thing but I wanted to leave 21/80/443/25etc...


the reason is that an attacker recently uploaded an irc server to /tmp folder and if the ports have been blocked from firewall the irc server can't do it's job. So the question has a meaning to me, thanks for the answers


This is going to sound strange, but one of the best ways of learning IPtables is to have a local machine nearby and play with (graphical) firewall tools on it then examine what rulesets have been created as a result of experimentation. By having something close by, you have access to the console if the rules go wrong and lock you out.


The rules should be stored in /etc/sysconfig/iptables (or thereabouts).


I'd also say that many issues with rulesets is not the understanding of how they work, but a lack of clarity of final objectives. The rulesets merely set up a policy; by sitting down away from a computer and working out what that policy should look like (and a testplan accordingly), it's relatively easy to translate those into firewall rules.


In terms of your question, Radu - zony's ruleset ought to do the trick:


# Set the default policy of the INPUT chain to DROP
iptables -P INPUT DROP
## -- now override with specific "accept" rules:
## Accept incoming TCP connections from eth0 on port 20 and 21
iptables -A INPUT -i eth0 -p tcp --dport 20:21 -j ACCEPT
## Accept SSH connections
## (- although this could have been included above with 20:22)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
## Accept incoming web connections
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

(by the way, I wouldn't leave 25 open - unless you're running a telnet honeypot)


Note that this will stop an IRCD server being installed (no open ports permitted to connect) but won't stop an IRCD bot working (no policy to block OUTPUT port connections), so you may want to consider that.


A strategy to prevent trojans being dropped and run in the /tmp dir is to create a separate /tmp slice and mount it with the NOEXEC option. Files will still be dropped in there, just that they can't run.


- have you conducted any more research upon how the server was compromised? I've got many different security measures in place to prevent this from happening (yes, it happened to me once)


Oh, and welcome to the forums!


Forum Jump:

Users browsing this thread: 1 Guest(s)