How to block ports in iptables

Syed Mohammad Talha Syed Mohammad Talha" <talha@cbq.com.qa
Sat, 29 Sep 2001 21:06:08 +0300 

Hi,

thanks for the reply this is what I have done but still it is not working u
see that I want to block like this

exiteth="eth1"
inteth="eth0"
intnet="192.168.1.0/24"
exitnet="202.66.205.0/24"
remotenet="0.0.0.0"
exitip="202.66.205.35/32"

echo -en "ip_conntrack_ftp, "
/sbin/modprobe ip_conntrack_ftp
#
#
echo -en "iptable_nat, "
/sbin/modprobe iptable_nat
#
#
echo -en "ip_nat_ftp, "
/sbin/modprobe ip_nat_ftp
#
#
echo ". Done loading modules."
#
#
echo "  enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "32768 62000" > /proc/sys/net/ipv4/ip_local_port_range
#
#
iptables -F
iptables -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


$IPTABLES -A INPUT -i $inteth -s $intnet -d $exitnet -p tcp --source-port
53 -j ACCEPT
$IPTABLES -A INPUT -i $inteth -s $intnet -d $exitnet -p 6 --destination-port
80 -j ACCEPT
$IPTABLES -A INPUT -i $inteth -s $intnet -d $exitnet -p 6 --destination-port
443 -j ACCEPT
$IPTABLES -A INPUT -i $inteth -s $intnet -d $exitnet -p 6 --destination-port
3128 -j ACCEPT
$IPTABLES -A INPUT -i $inteth -s $intnet -d $exitnet -p 6 --destination-port
25  -j ACCEPT
$IPTABLES -A INPUT -i $inteth -s $intnet -d $exitnet -p 6 --destination-port
110 -j ACCEPT

iptables -A INPUT-p tcp -s $CLIENT1 -d $any --dport 80 -j DROP
iptables -A INPUT-p tcp -s $CLIENT2 -d $any --dport 20:23 -j DROP
iptables -A INPUT-p tcp -s $CLIENT3 -d $any --dport 20:23 -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s $intnet -m state --state NEW,INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $inteth -p 6 -j DROP
$IPTABLES -A INPUT -i $inteth -p 17 -j DROP

This is what I have defined in nat

$IPTABLES -t nat -A POSTROUTING -o $exiteth -j MASQUERADE

$IPTABLES -F FORWARD

echo " FWD: Allow all connections OUT and only existing and related one IN"
$IPTABLES -A FORWARD -i $exiteth -o $inteth -m state --state NEW,INVALID -j
DROP
$IPTABLES -A FORWARD -i $exiteth -o $inteth -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -A OUTPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -s $remotenet -d $intnet -j ACCEPT
$IPTABLES -A OUTPUT -s $intnet -d $exitnet -j ACCEPT
$IPTABLES -A OUTPUT -s $remotenet -d $exitnet -j ACCEPT
$IPTABLES -A OUTPUT -s $exitip -d $remotenet -j ACCEPT
$IPTABLES -A OUTPUT -s $remotenet -d $remotenet -j ACCEPT
$IPTABLES -A OUTPUT -s $remotenet -d $remotenet -p 6 --destination-port
1023:65000 -j ACCEPT
$IPTABLES -A OUTPUT -s $remotenet -d $remotenet -p 17 --destination-port
1023:65000 -j ACCEPT
$IPTABLES -A OUTPUT -s $intnet -d $remotenet -j DROP
$IPTABLES -A OUTPUT -s $remotenet -d $remotenet -j DROP

This is the sample of my firewall configureation which is not working, I
dont know what is wring and from where I have to control, please check this
and help me in sorting out this problem.

Thanks and regards.

Talha


----- Original Message -----
From: "Philipp Snizek" <mailinglists@belfin.ch>
To: "'Syed Mohammad Talha'" <talha@cbq.com.qa>; <netfilter@lists.samba.org>
Sent: Saturday, September 29, 2001 7:51 PM
Subject: AW: How to block ports in iptables


> Hi,
>
> in this order you do
>
> define -P DROP for all rules
> then you -j ACCEPT the stuff you need.
> then you -i $laneth -j LOG what you want to log (if logging needed)
> then you -i $laneth -j DROP the rest you don't want.
>
> HTH
> Philipp
>
> > -----Ursprüngliche Nachricht-----
> > Von: netfilter-admin@lists.samba.org
> > [mailto:netfilter-admin@lists.samba.org]Im Auftrag von Syed Mohammad
> > Talha
> > Gesendet: Samstag, 29. September 2001 18:31
> > An: netfilter@lists.samba.org
> > Betreff: How to block ports in iptables
> >
> >
> > Dear all,
> >
> > I wated to allow and block the ports to my inernal lan users,
> > I have tried
> > to block or allow by defining the users ip address as source to some
> > destination port in the input chain, but is not working. This
> > is how I use
> > to block or allow the users in ipchains, any bosy who can
> > tell me what I am
> > doing the mistake
> >
> > Talha
> >
>