blocking all trafic exapt selcter ports

Jason Opperisano opie at 817west.com
Sat Apr 23 16:54:44 CEST 2005


On Sat, Apr 23, 2005 at 05:23:07AM -0400, Ed wrote:
> Kashif Ali Bukhari wrote:
> > i want to block all inbod access to my linux box and want to allow
> > dns, http proxy,ssh,telnet,and ftp 
> > how can i do this 
> 
> First, please see
> http://www.catb.org/~esr/faqs/smart-questions.html

i love that link.

> iptables -A INPUT -p tcp --dport  21 -j ACCEPT
> iptables -A INPUT -p tcp --dport  22 -j ACCEPT
> iptables -A INPUT -p tcp --dport  23 -j ACCEPT
> iptables -A INPUT -p tcp --dport  53 -j ACCEPT

and:
  iptables -A INPUT -p udp --dport 53 -j ACCEPT

> iptables -A INPUT -p tcp --dport  3128 -j ACCEPT
> iptables -P INPUT DROP
> 
> or if you compile your kernel/iptables with multiport support
> 
> iptables -A INPUT -m multiport -p tcp --dports 21-23,53,3128 -j ACCEPT

multiport doesn't support ranges, mport does (and it uses a ':' not a
'-'):

  iptables -A INPUT -p tcp -m mport --dports 21:23,53,3128 -j ACCEPT
  iptables -A INPUT -p udp --dport 53 -j ACCEPT

> iptables -P INPUT DROP
> 
> A classic RTFM/STFW case, nonetheless...

yes.  couldn't resist the nit-pick, though.  ;-)

-j

--
"Joe Swanson: You can't just come over here and annex my pool!
 Peter: Oh yeah? Well, according to paragraph 7, sentence 3, word 8 of
 the Geneva Convention..."the". So, tough luck, Swanson."
        --Family Guy



More information about the netfilter mailing list