linux iptables, block all but specified ports

I have a Linux host with 2 NICs. eth0 is connected directly to the Internet. eth1 is connected to the local LAN only. I want to block all but a few incoming port for eth0 and permit all ports for eth1. After surfing for ideas, here is what I've come up with. Could someone please confirm/correct before I actually try it:

iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 22,25,80,443,10010,10020 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  # redundant?
iptables -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Iptables -A OUTPUT -o eth1 -m state --state NEW -j ACCEPT

Open in new window


I've seen these specified more simply such as:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

so I'm not sure if the --state option is necessary or not.
LVL 1
MarkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

comfortjeaniusCommented:
This is using a stateful firewall technique. With this, iptables track the state of every connection such as NEW, ESTABLISHED, RELATED, UNTRACKED, and INVALID per the man pages.

per this link IP Tables Question

Allow incoming while monitoring the state:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4000:5020 -j ACCEPT
0
MarkAuthor Commented:
comfortjeanius: > With this, iptables track the state of every connection

So ... is this a good thing?

I've seen the --dport parameter for a range of ports, but I don't really have a range. Can I use the --multiport --dports settings as shown or should I use multiple --dport statements.

Bottom line: Will what I show in my original posting work for what I want or will it mess something up? Is there a better way to close all incoming ports on eth0 except 22,25,80,443,10010,10020, leave all outgoing eth0 ports open, and leave all ports open on eth1?
0
comfortjeaniusCommented:
You should use either -m multiport --dport or --match multiport --dport refer to Quick HOWTO : Ch14 : Linux Firewalls Using iptables look at Table 14.6

Remember per man pages on multiport ---

This module matches a set of source or destination ports.  Up to 15 ports can be specified.  A port range (port:port) counts as two ports.  It can only be used in conjunction with -p tcp or -p udp.

iptables -A INPUT -i eth0 -p tcp --match multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
iptables -A OUTPUT -I eth0 -p tcp --match multiport --sports 22,25,80,443,10010,10020 -j ACCEPT
or
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020  -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020 -j ACCEPT

Open in new window

Note: The  INPUT rule commands will accept incoming connection on those ports and the second rule will send response of the incoming port;  server to client from those source ports. Hence only allowing incoming and outgoing traffic to those ports

For you scenario you will only need the  INPUT command on eth0 as follows:

iptables -A INPUT -i eth0 -p tcp --match multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
or
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020  -j ACCEPT

Open in new window


If you want to track connection it would look like this
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020  -m state --state NEW,ESTABLISHED -j ACCEPT
or
iptables -A INPUT -i eth0 -p tcp --match multiport --dports 22,25,80,443,10010,10020 -m state --state NEW,ESTABLISHED -j ACCEPT

Open in new window


Here is a link to shed some light on tracking connection How do I use Iptables connection tracking feature?

for the eth1 should not have to do anything as long as you have network connectivity.
0
comfortjeaniusCommented:
Typo on this rule :

iptables -A INPUT -i eth0 -p tcp --match multiport --dports 22,25,80,443,10010,10020 -j ACCEPT
iptables -A OUTPUT -I eth0 -p tcp --match multiport --sports 22,25,80,443,10010,10020 -j ACCEPT
or
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,80,443,10010,10020  -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m multiport --sports 22,25,80,443,10010,10020 -j ACCEPT

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.