Some iptables help

Dev Shed Forums Sponsor:

Stop making mediocre tutorials.The best tutorials are video! Camtasia Studio makes it easy to create engaging, buzz-building screen videos at any size, in any popular format. Download the free trial!

April 16th, 2008, 05:11 PM

Spyril

Contributing User

Join Date: Feb 2008

Posts: 33

Time spent in forums: 7 h 26 m 49 sec
Reputation Power: 1

Some iptables help

I'm trying to make an iptables rule that blocks connections established by an outside source, other than connections made to ports 20-23 and the ftp data port. Here is my rule:

Code:

iptables -A INPUT -p tcp -m state --state NEW --src ! 127.0.0.1 --dst 127.0.0.1 -m multiport --destination-port ! 20:23,ftp-data -j REJECT --reject-with icmp-host-prohibited

But it doesn't work, I can still access port 80 from other computers. Also, I am wondering if the ftp-data port will still work if the client is using passive FTP?

April 17th, 2008, 07:29 AM

compmodder26

Giggity Giggity!!

Join Date: Jul 2004

Posts: 801

Time spent in forums: 3 Weeks 4 Days 11 h 42 m 14 sec
Reputation Power: 208

I'm not an iptables guru by any means. But what I would do and do with all my machines now is make them restrictive by default. I drop all packets on the INPUT and FORWARD chains by default. Then I specifically allow the ports that I want to open

Code:

IPTABLES=/sbin/iptables

# set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# allow any connections from localhost
$IPTABLES -A INPUT -i lo -j ACCEPT

# allow established connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow connections on the following ports
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 20:23,ftp_data -j ACCEPT

__________________

Spread Ubuntu

(\ /)
(O.o)
(> <)
This is Bunny. Copy Bunny into your signature to help him on his way to world domination.

Last edited by compmodder26 : April 18th, 2008 at 08:14 AM. Reason: Forgot to add a rule for established connections

May 1st, 2008, 05:12 PM

fishtoprecords

Contributing User

Join Date: Sep 2007

Location: outside Washington DC

Posts: 610

Time spent in forums: 5 Days 15 h 24 m 48 sec
Reputation Power: 177

most user friendly distros have some user friendly tool to do the IP tables stuff. It tends to get complex quickly, and if you do it wrong, you can leave serious holes.

ubuntu and most debians have guarddog
mandriva has shorewall

I would not recommend doing it by hand until you become an old pro

Viewing: Dev Shed Forums > Operating Systems > Linux Help > Some iptables help

« Previous Thread | Next Thread »

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off

View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox

Forum Jump

Free IT White Papers!

Accelerating Trading Partner Performance
One in five. That's how many partner transactions have at least one error. That is an amazing statistic, particularly given the extraordinary leaps in innovation across the global supply chain during the past two decades. Download this white paper to learn more.

Competing on Analytics
This Tech Analysis is designed to help identify characteristics shared by analytics competitors, and includes information about 32 organizations that have made a commitment to quantitative, fact-based analysis.

Cost Effective Scaling with Virtualization and Coyote Point Systems
An overview of the industry trend toward virtualization, how server consolidation has increased the importance of application uptime and the steps being taken to integrate load balancing technology with virtualized servers.

Five Checkpoints to Implementing IP Telephony
Implementation planning for IP PBX software and IP telephony has become vital as businesses replace discontinued legacy PBX phone systems. This informative whitepaper outlines five "checkpoints" for any implementation plan that will help make IP communications a successful proposition.

Hosted Email Security: Staying Ahead of New Threats
In the last two years, email has become a fierce battleground between the nefarious forces of spam and malware, and the heroes of messaging protection. The spam volumes increased alarmingly every month, bringing clever new forms of phishing and virus propagation attacks.

More Free IT White Papers!