How can I block all ports except some? The 2019 Stack Overflow Developer Survey Results Are InAllow/Block ports in Centos Serversiptables rules too restrictive; Drupal webserver cannot access repositories, ntp or even websitesCorosync & Pacemaker IPTables Rulesiptables to allow teamviewerImpossible to browse web after configuring iptablesUsing IPTables to Block Ports to Class A Subnets While Allowing Web Ports (80/443)Test firewall rules without access to other machinesBlock all connections but allow only a few ports with iptablesiptables rules for client to be able to tftp download from any serverHow to allow the internal network only to access NTP serviceAndroid DHCP Port Forwarding

When should I buy a clipper card after flying to OAK?

What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?

Button changing it's text & action. Good or terrible?

Why was M87 targetted for the Event Horizon Telescope instead of Sagittarius A*?

One word riddle: Vowel in the middle

Feature engineering suggestion required

Apparent duplicates between Haynes service instructions and MOT

Is a "Democratic" Oligarchy-Style System Possible?

Worn-tile Scrabble

Deal with toxic manager when you can't quit

Is flight data recorder erased after every flight?

Can one be advised by a professor who is very far away?

Pokemon Turn Based battle (Python)

Aging parents with no investments

Interpreting the 2019 New York Reproductive Health Act?

Who coined the term "madman theory"?

What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?

Did 3000BC Egyptians use meteoric iron weapons?

Which Sci-Fi work first showed weapon of galactic-scale mass destruction?

Can a rogue use sneak attack with weapons that have the thrown property even if they are not thrown?

Distributing a matrix

slides for 30min~1hr skype tenure track application interview

Right tool to dig six foot holes?

Why not take a picture of a closer black hole?



How can I block all ports except some?



The 2019 Stack Overflow Developer Survey Results Are InAllow/Block ports in Centos Serversiptables rules too restrictive; Drupal webserver cannot access repositories, ntp or even websitesCorosync & Pacemaker IPTables Rulesiptables to allow teamviewerImpossible to browse web after configuring iptablesUsing IPTables to Block Ports to Class A Subnets While Allowing Web Ports (80/443)Test firewall rules without access to other machinesBlock all connections but allow only a few ports with iptablesiptables rules for client to be able to tftp download from any serverHow to allow the internal network only to access NTP serviceAndroid DHCP Port Forwarding



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








3















I am trying to use iptables but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.



These are the simple rules that I want to implement:



  • Allow ports 80, 6667 and 6697 to everyone

  • Allow port 22 to just my IP for example 10.10.10.10

Please can someone help me implement these simple rules, without locking myself out?










share|improve this question

















  • 1





    What's wrong with ufw, the Uncomplicated Firewall? It provides a simpler interface to iptables: ufw disable ufw reset ufw allow proto tcp from 10.10.10.10 to any port 22 ... ufw enable.

    – AlexP
    Dec 2 '16 at 9:00







  • 1





    Set the policy to REJECT and then ACCEPT only the ports in your list.

    – phg
    Dec 2 '16 at 9:12

















3















I am trying to use iptables but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.



These are the simple rules that I want to implement:



  • Allow ports 80, 6667 and 6697 to everyone

  • Allow port 22 to just my IP for example 10.10.10.10

Please can someone help me implement these simple rules, without locking myself out?










share|improve this question

















  • 1





    What's wrong with ufw, the Uncomplicated Firewall? It provides a simpler interface to iptables: ufw disable ufw reset ufw allow proto tcp from 10.10.10.10 to any port 22 ... ufw enable.

    – AlexP
    Dec 2 '16 at 9:00







  • 1





    Set the policy to REJECT and then ACCEPT only the ports in your list.

    – phg
    Dec 2 '16 at 9:12













3












3








3








I am trying to use iptables but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.



These are the simple rules that I want to implement:



  • Allow ports 80, 6667 and 6697 to everyone

  • Allow port 22 to just my IP for example 10.10.10.10

Please can someone help me implement these simple rules, without locking myself out?










share|improve this question














I am trying to use iptables but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.



These are the simple rules that I want to implement:



  • Allow ports 80, 6667 and 6697 to everyone

  • Allow port 22 to just my IP for example 10.10.10.10

Please can someone help me implement these simple rules, without locking myself out?







debian iptables






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 2 '16 at 8:49









user6888062user6888062

2115




2115







  • 1





    What's wrong with ufw, the Uncomplicated Firewall? It provides a simpler interface to iptables: ufw disable ufw reset ufw allow proto tcp from 10.10.10.10 to any port 22 ... ufw enable.

    – AlexP
    Dec 2 '16 at 9:00







  • 1





    Set the policy to REJECT and then ACCEPT only the ports in your list.

    – phg
    Dec 2 '16 at 9:12












  • 1





    What's wrong with ufw, the Uncomplicated Firewall? It provides a simpler interface to iptables: ufw disable ufw reset ufw allow proto tcp from 10.10.10.10 to any port 22 ... ufw enable.

    – AlexP
    Dec 2 '16 at 9:00







  • 1





    Set the policy to REJECT and then ACCEPT only the ports in your list.

    – phg
    Dec 2 '16 at 9:12







1




1





What's wrong with ufw, the Uncomplicated Firewall? It provides a simpler interface to iptables: ufw disable ufw reset ufw allow proto tcp from 10.10.10.10 to any port 22 ... ufw enable.

– AlexP
Dec 2 '16 at 9:00






What's wrong with ufw, the Uncomplicated Firewall? It provides a simpler interface to iptables: ufw disable ufw reset ufw allow proto tcp from 10.10.10.10 to any port 22 ... ufw enable.

– AlexP
Dec 2 '16 at 9:00





1




1





Set the policy to REJECT and then ACCEPT only the ports in your list.

– phg
Dec 2 '16 at 9:12





Set the policy to REJECT and then ACCEPT only the ports in your list.

– phg
Dec 2 '16 at 9:12










3 Answers
3






active

oldest

votes


















3














I would advice against playing with iptables directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.



Here, since you're on Debian, I would install something like ufw, a very simple management layer on top of iptables.



It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.



Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/ to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).



ufw app list


gives you a list of those supported applications. Then you can do:



ufw allow from 10.10.10.10 app OpenSSH
ufw allow from any app WWW
ufw allow ircd/tcp # by service name (from /etc/services...)
ufw allow 6697/tcp # by explicit port number
ufw enable


You can run iptables-save to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw.






share|improve this answer






























    3














    Use the filter table in iptables and add the rule you want
    first flush all rules in filter table in iptables:



    sudo iptables -t filter -F


    then add rule to allow ESTABLISHED,RELATED connection:



    sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


    then for allowing ports 80, 6667 and 6697 for tcp to everyone add:



    sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT


    and for allowing port 22 for just your ip add:



    sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT


    then to block anything else add:



    sudo iptables -t filter -A INPUT -j DROP


    Done.






    share|improve this answer
































      1














      If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.



      Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.






      share|improve this answer























        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "106"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f327537%2fhow-can-i-block-all-ports-except-some%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        3














        I would advice against playing with iptables directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.



        Here, since you're on Debian, I would install something like ufw, a very simple management layer on top of iptables.



        It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.



        Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/ to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).



        ufw app list


        gives you a list of those supported applications. Then you can do:



        ufw allow from 10.10.10.10 app OpenSSH
        ufw allow from any app WWW
        ufw allow ircd/tcp # by service name (from /etc/services...)
        ufw allow 6697/tcp # by explicit port number
        ufw enable


        You can run iptables-save to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw.






        share|improve this answer



























          3














          I would advice against playing with iptables directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.



          Here, since you're on Debian, I would install something like ufw, a very simple management layer on top of iptables.



          It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.



          Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/ to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).



          ufw app list


          gives you a list of those supported applications. Then you can do:



          ufw allow from 10.10.10.10 app OpenSSH
          ufw allow from any app WWW
          ufw allow ircd/tcp # by service name (from /etc/services...)
          ufw allow 6697/tcp # by explicit port number
          ufw enable


          You can run iptables-save to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw.






          share|improve this answer

























            3












            3








            3







            I would advice against playing with iptables directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.



            Here, since you're on Debian, I would install something like ufw, a very simple management layer on top of iptables.



            It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.



            Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/ to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).



            ufw app list


            gives you a list of those supported applications. Then you can do:



            ufw allow from 10.10.10.10 app OpenSSH
            ufw allow from any app WWW
            ufw allow ircd/tcp # by service name (from /etc/services...)
            ufw allow 6697/tcp # by explicit port number
            ufw enable


            You can run iptables-save to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw.






            share|improve this answer













            I would advice against playing with iptables directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.



            Here, since you're on Debian, I would install something like ufw, a very simple management layer on top of iptables.



            It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.



            Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/ to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).



            ufw app list


            gives you a list of those supported applications. Then you can do:



            ufw allow from 10.10.10.10 app OpenSSH
            ufw allow from any app WWW
            ufw allow ircd/tcp # by service name (from /etc/services...)
            ufw allow 6697/tcp # by explicit port number
            ufw enable


            You can run iptables-save to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 2 '16 at 10:22









            Stéphane ChazelasStéphane Chazelas

            314k57594952




            314k57594952























                3














                Use the filter table in iptables and add the rule you want
                first flush all rules in filter table in iptables:



                sudo iptables -t filter -F


                then add rule to allow ESTABLISHED,RELATED connection:



                sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


                then for allowing ports 80, 6667 and 6697 for tcp to everyone add:



                sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT


                and for allowing port 22 for just your ip add:



                sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT


                then to block anything else add:



                sudo iptables -t filter -A INPUT -j DROP


                Done.






                share|improve this answer





























                  3














                  Use the filter table in iptables and add the rule you want
                  first flush all rules in filter table in iptables:



                  sudo iptables -t filter -F


                  then add rule to allow ESTABLISHED,RELATED connection:



                  sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


                  then for allowing ports 80, 6667 and 6697 for tcp to everyone add:



                  sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT


                  and for allowing port 22 for just your ip add:



                  sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT


                  then to block anything else add:



                  sudo iptables -t filter -A INPUT -j DROP


                  Done.






                  share|improve this answer



























                    3












                    3








                    3







                    Use the filter table in iptables and add the rule you want
                    first flush all rules in filter table in iptables:



                    sudo iptables -t filter -F


                    then add rule to allow ESTABLISHED,RELATED connection:



                    sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


                    then for allowing ports 80, 6667 and 6697 for tcp to everyone add:



                    sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT


                    and for allowing port 22 for just your ip add:



                    sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT


                    then to block anything else add:



                    sudo iptables -t filter -A INPUT -j DROP


                    Done.






                    share|improve this answer















                    Use the filter table in iptables and add the rule you want
                    first flush all rules in filter table in iptables:



                    sudo iptables -t filter -F


                    then add rule to allow ESTABLISHED,RELATED connection:



                    sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


                    then for allowing ports 80, 6667 and 6697 for tcp to everyone add:



                    sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT


                    and for allowing port 22 for just your ip add:



                    sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT


                    then to block anything else add:



                    sudo iptables -t filter -A INPUT -j DROP


                    Done.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited 2 days ago









                    Ouki

                    3,91421527




                    3,91421527










                    answered Dec 2 '16 at 9:19









                    Wissam RoujoulahWissam Roujoulah

                    2,853519




                    2,853519





















                        1














                        If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.



                        Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.






                        share|improve this answer



























                          1














                          If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.



                          Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.






                          share|improve this answer

























                            1












                            1








                            1







                            If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.



                            Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.






                            share|improve this answer













                            If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.



                            Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Dec 2 '16 at 10:34









                            Wouter VerhelstWouter Verhelst

                            7,579935




                            7,579935



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f327537%2fhow-can-i-block-all-ports-except-some%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                -debian, iptables

                                Popular posts from this blog

                                Frič See also Navigation menuinternal link

                                Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

                                fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox