Mark
asked on
linux iptables, block all but specified ports
I have a Linux host with 2 NICs. eth0 is connected directly to the Internet. eth1 is connected to the local LAN only. I want to block all but a few incoming port for eth0 and permit all ports for eth1. After surfing for ideas, here is what I've come up with. Could someone please confirm/correct before I actually try it:
I've seen these specified more simply such as:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
so I'm not sure if the --state option is necessary or not.
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 22,25,80,443,10010,10020 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # redundant?
iptables -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Iptables -A OUTPUT -o eth1 -m state --state NEW -j ACCEPT
I've seen these specified more simply such as:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
so I'm not sure if the --state option is necessary or not.
ASKER
comfortjeanius: > With this, iptables track the state of every connection
So ... is this a good thing?
I've seen the --dport parameter for a range of ports, but I don't really have a range. Can I use the --multiport --dports settings as shown or should I use multiple --dport statements.
Bottom line: Will what I show in my original posting work for what I want or will it mess something up? Is there a better way to close all incoming ports on eth0 except 22,25,80,443,10010,10020, leave all outgoing eth0 ports open, and leave all ports open on eth1?
So ... is this a good thing?
I've seen the --dport parameter for a range of ports, but I don't really have a range. Can I use the --multiport --dports settings as shown or should I use multiple --dport statements.
Bottom line: Will what I show in my original posting work for what I want or will it mess something up? Is there a better way to close all incoming ports on eth0 except 22,25,80,443,10010,10020, leave all outgoing eth0 ports open, and leave all ports open on eth1?
You should use either -m multiport --dport or --match multiport --dport refer to Quick HOWTO : Ch14 : Linux Firewalls Using iptables look at Table 14.6
Remember per man pages on multiport ---
This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with -p tcp or -p udp.
For you scenario you will only need the INPUT command on eth0 as follows:
If you want to track connection it would look like this
Here is a link to shed some light on tracking connection How do I use Iptables connection tracking feature?
for the eth1 should not have to do anything as long as you have network connectivity.
Remember per man pages on multiport ---
This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with -p tcp or -p udp.
iptables -A INPUT -i eth0 -p tcp --match multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
iptables -A OUTPUT -I eth0 -p tcp --match multiport --sports 22,25,80,443,10010,10020 -j ACCEPT
or
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
Note: The INPUT rule commands will accept incoming connection on those ports and the second rule will send response of the incoming port; server to client from those source ports. Hence only allowing incoming and outgoing traffic to those portsFor you scenario you will only need the INPUT command on eth0 as follows:
iptables -A INPUT -i eth0 -p tcp --match multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
or
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
If you want to track connection it would look like this
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020 -m state --state NEW,ESTABLISHED -j ACCEPT
or
iptables -A INPUT -i eth0 -p tcp --match multiport --dports 22,25,80,443,10010,10020 -m state --state NEW,ESTABLISHED -j ACCEPT
Here is a link to shed some light on tracking connection How do I use Iptables connection tracking feature?
for the eth1 should not have to do anything as long as you have network connectivity.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
per this link IP Tables Question
Allow incoming while monitoring the state:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
Open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4000:5020 -j ACCEPT