How can I block all ports except some? The 2019 Stack Overflow Developer Survey Results Are InAllow/Block ports in Centos Serversiptables rules too restrictive; Drupal webserver cannot access repositories, ntp or even websitesCorosync & Pacemaker IPTables Rulesiptables to allow teamviewerImpossible to browse web after configuring iptablesUsing IPTables to Block Ports to Class A Subnets While Allowing Web Ports (80/443)Test firewall rules without access to other machinesBlock all connections but allow only a few ports with iptablesiptables rules for client to be able to tftp download from any serverHow to allow the internal network only to access NTP serviceAndroid DHCP Port Forwarding
When should I buy a clipper card after flying to OAK?
What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?
Button changing it's text & action. Good or terrible?
Why was M87 targetted for the Event Horizon Telescope instead of Sagittarius A*?
One word riddle: Vowel in the middle
Feature engineering suggestion required
Apparent duplicates between Haynes service instructions and MOT
Is a "Democratic" Oligarchy-Style System Possible?
Worn-tile Scrabble
Deal with toxic manager when you can't quit
Is flight data recorder erased after every flight?
Can one be advised by a professor who is very far away?
Pokemon Turn Based battle (Python)
Aging parents with no investments
Interpreting the 2019 New York Reproductive Health Act?
Who coined the term "madman theory"?
What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?
Did 3000BC Egyptians use meteoric iron weapons?
Which Sci-Fi work first showed weapon of galactic-scale mass destruction?
Can a rogue use sneak attack with weapons that have the thrown property even if they are not thrown?
Distributing a matrix
slides for 30min~1hr skype tenure track application interview
Right tool to dig six foot holes?
Why not take a picture of a closer black hole?
How can I block all ports except some?
The 2019 Stack Overflow Developer Survey Results Are InAllow/Block ports in Centos Serversiptables rules too restrictive; Drupal webserver cannot access repositories, ntp or even websitesCorosync & Pacemaker IPTables Rulesiptables to allow teamviewerImpossible to browse web after configuring iptablesUsing IPTables to Block Ports to Class A Subnets While Allowing Web Ports (80/443)Test firewall rules without access to other machinesBlock all connections but allow only a few ports with iptablesiptables rules for client to be able to tftp download from any serverHow to allow the internal network only to access NTP serviceAndroid DHCP Port Forwarding
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am trying to use iptables
but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.
These are the simple rules that I want to implement:
- Allow ports 80, 6667 and 6697 to everyone
- Allow port 22 to just my IP for example
10.10.10.10
Please can someone help me implement these simple rules, without locking myself out?
debian iptables
add a comment |
I am trying to use iptables
but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.
These are the simple rules that I want to implement:
- Allow ports 80, 6667 and 6697 to everyone
- Allow port 22 to just my IP for example
10.10.10.10
Please can someone help me implement these simple rules, without locking myself out?
debian iptables
1
What's wrong withufw
, the Uncomplicated Firewall? It provides a simpler interface toiptables
:ufw disable
ufw reset
ufw allow proto tcp from 10.10.10.10 to any port 22
...ufw enable
.
– AlexP
Dec 2 '16 at 9:00
1
Set the policy to REJECT and then ACCEPT only the ports in your list.
– phg
Dec 2 '16 at 9:12
add a comment |
I am trying to use iptables
but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.
These are the simple rules that I want to implement:
- Allow ports 80, 6667 and 6697 to everyone
- Allow port 22 to just my IP for example
10.10.10.10
Please can someone help me implement these simple rules, without locking myself out?
debian iptables
I am trying to use iptables
but I am clueless in understanding the documentation even so that I've locked myself out of my server twice already whilst trying to implement it.
These are the simple rules that I want to implement:
- Allow ports 80, 6667 and 6697 to everyone
- Allow port 22 to just my IP for example
10.10.10.10
Please can someone help me implement these simple rules, without locking myself out?
debian iptables
debian iptables
asked Dec 2 '16 at 8:49
user6888062user6888062
2115
2115
1
What's wrong withufw
, the Uncomplicated Firewall? It provides a simpler interface toiptables
:ufw disable
ufw reset
ufw allow proto tcp from 10.10.10.10 to any port 22
...ufw enable
.
– AlexP
Dec 2 '16 at 9:00
1
Set the policy to REJECT and then ACCEPT only the ports in your list.
– phg
Dec 2 '16 at 9:12
add a comment |
1
What's wrong withufw
, the Uncomplicated Firewall? It provides a simpler interface toiptables
:ufw disable
ufw reset
ufw allow proto tcp from 10.10.10.10 to any port 22
...ufw enable
.
– AlexP
Dec 2 '16 at 9:00
1
Set the policy to REJECT and then ACCEPT only the ports in your list.
– phg
Dec 2 '16 at 9:12
1
1
What's wrong with
ufw
, the Uncomplicated Firewall? It provides a simpler interface to iptables
: ufw disable
ufw reset
ufw allow proto tcp from 10.10.10.10 to any port 22
... ufw enable
.– AlexP
Dec 2 '16 at 9:00
What's wrong with
ufw
, the Uncomplicated Firewall? It provides a simpler interface to iptables
: ufw disable
ufw reset
ufw allow proto tcp from 10.10.10.10 to any port 22
... ufw enable
.– AlexP
Dec 2 '16 at 9:00
1
1
Set the policy to REJECT and then ACCEPT only the ports in your list.
– phg
Dec 2 '16 at 9:12
Set the policy to REJECT and then ACCEPT only the ports in your list.
– phg
Dec 2 '16 at 9:12
add a comment |
3 Answers
3
active
oldest
votes
I would advice against playing with iptables
directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.
Here, since you're on Debian, I would install something like ufw
, a very simple management layer on top of iptables
.
It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.
Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/
to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).
ufw app list
gives you a list of those supported applications. Then you can do:
ufw allow from 10.10.10.10 app OpenSSH
ufw allow from any app WWW
ufw allow ircd/tcp # by service name (from /etc/services...)
ufw allow 6697/tcp # by explicit port number
ufw enable
You can run iptables-save
to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw
.
add a comment |
Use the filter table in iptables
and add the rule you want
first flush all rules in filter table in iptables
:
sudo iptables -t filter -F
then add rule to allow ESTABLISHED,RELATED connection:
sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
then for allowing ports 80, 6667 and 6697 for tcp to everyone add:
sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT
and for allowing port 22 for just your ip add:
sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT
then to block anything else add:
sudo iptables -t filter -A INPUT -j DROP
Done.
add a comment |
If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.
Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f327537%2fhow-can-i-block-all-ports-except-some%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I would advice against playing with iptables
directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.
Here, since you're on Debian, I would install something like ufw
, a very simple management layer on top of iptables
.
It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.
Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/
to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).
ufw app list
gives you a list of those supported applications. Then you can do:
ufw allow from 10.10.10.10 app OpenSSH
ufw allow from any app WWW
ufw allow ircd/tcp # by service name (from /etc/services...)
ufw allow 6697/tcp # by explicit port number
ufw enable
You can run iptables-save
to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw
.
add a comment |
I would advice against playing with iptables
directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.
Here, since you're on Debian, I would install something like ufw
, a very simple management layer on top of iptables
.
It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.
Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/
to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).
ufw app list
gives you a list of those supported applications. Then you can do:
ufw allow from 10.10.10.10 app OpenSSH
ufw allow from any app WWW
ufw allow ircd/tcp # by service name (from /etc/services...)
ufw allow 6697/tcp # by explicit port number
ufw enable
You can run iptables-save
to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw
.
add a comment |
I would advice against playing with iptables
directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.
Here, since you're on Debian, I would install something like ufw
, a very simple management layer on top of iptables
.
It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.
Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/
to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).
ufw app list
gives you a list of those supported applications. Then you can do:
ufw allow from 10.10.10.10 app OpenSSH
ufw allow from any app WWW
ufw allow ircd/tcp # by service name (from /etc/services...)
ufw allow 6697/tcp # by explicit port number
ufw enable
You can run iptables-save
to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw
.
I would advice against playing with iptables
directly if you're not ready to learn the basics of networking, TCP(ICMP/UDP/SCTP...)/IP, Linux's netfilter and how to do proper firewalling first.
Here, since you're on Debian, I would install something like ufw
, a very simple management layer on top of iptables
.
It sets a default policy of ACCEPT for outgoing traffic, and DROP for incoming or forwarding traffic. It will take care of not shooting in your feet by not blocking needing types of ICMP/DHCP/broadcast/multicast traffic and handle both IPv4 and IPv6 as needed.
Then all is left for you to do is punch holes for the services that you want. Some packages will also install files in /etc/ufw/applications.d/
to help you punch hole by application instead of having to specify the ports by hand (you can also create your own).
ufw app list
gives you a list of those supported applications. Then you can do:
ufw allow from 10.10.10.10 app OpenSSH
ufw allow from any app WWW
ufw allow ircd/tcp # by service name (from /etc/services...)
ufw allow 6697/tcp # by explicit port number
ufw enable
You can run iptables-save
to see what rules it has generated. It will also have tune some settings of the IP stack. See also the extra configuration in /etc/ufw
.
answered Dec 2 '16 at 10:22
Stéphane ChazelasStéphane Chazelas
314k57594952
314k57594952
add a comment |
add a comment |
Use the filter table in iptables
and add the rule you want
first flush all rules in filter table in iptables
:
sudo iptables -t filter -F
then add rule to allow ESTABLISHED,RELATED connection:
sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
then for allowing ports 80, 6667 and 6697 for tcp to everyone add:
sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT
and for allowing port 22 for just your ip add:
sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT
then to block anything else add:
sudo iptables -t filter -A INPUT -j DROP
Done.
add a comment |
Use the filter table in iptables
and add the rule you want
first flush all rules in filter table in iptables
:
sudo iptables -t filter -F
then add rule to allow ESTABLISHED,RELATED connection:
sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
then for allowing ports 80, 6667 and 6697 for tcp to everyone add:
sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT
and for allowing port 22 for just your ip add:
sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT
then to block anything else add:
sudo iptables -t filter -A INPUT -j DROP
Done.
add a comment |
Use the filter table in iptables
and add the rule you want
first flush all rules in filter table in iptables
:
sudo iptables -t filter -F
then add rule to allow ESTABLISHED,RELATED connection:
sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
then for allowing ports 80, 6667 and 6697 for tcp to everyone add:
sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT
and for allowing port 22 for just your ip add:
sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT
then to block anything else add:
sudo iptables -t filter -A INPUT -j DROP
Done.
Use the filter table in iptables
and add the rule you want
first flush all rules in filter table in iptables
:
sudo iptables -t filter -F
then add rule to allow ESTABLISHED,RELATED connection:
sudo iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
then for allowing ports 80, 6667 and 6697 for tcp to everyone add:
sudo iptables -t filter -A INPUT -p tcp -m multiport --dports 80,6667,6697 -j ACCEPT
and for allowing port 22 for just your ip add:
sudo iptables -t filter -A INPUT -s <your ip address> -p tcp --dport 22 -J ACCEPT
then to block anything else add:
sudo iptables -t filter -A INPUT -j DROP
Done.
edited 2 days ago
Ouki
3,91421527
3,91421527
answered Dec 2 '16 at 9:19
Wissam RoujoulahWissam Roujoulah
2,853519
2,853519
add a comment |
add a comment |
If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.
Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.
add a comment |
If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.
Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.
add a comment |
If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.
Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.
If you're interested in learning how to use iptables, I would recommend not trying to configure it on a server, but instead to install iptables on a local machine (e.g., a VM or your laptop) and experimenting with it there. That way, if you make a mistake, you're not going to lock yourself out of your system.
Personally, even after fifteen years of administering Linux servers and manually writing iptables scripts, I never ever update firewall configuration unless I have a way to immediately reboot the server in case I make a mistake (be it through a KVM system, a hoster's control panel, or by being able to physically walk to the machine). After all, mistakes are always possible, and you don't want to accidentally lock yourself out of your own server for seven hours because of a simple typo.
answered Dec 2 '16 at 10:34
Wouter VerhelstWouter Verhelst
7,579935
7,579935
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f327537%2fhow-can-i-block-all-ports-except-some%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-debian, iptables
1
What's wrong with
ufw
, the Uncomplicated Firewall? It provides a simpler interface toiptables
:ufw disable
ufw reset
ufw allow proto tcp from 10.10.10.10 to any port 22
...ufw enable
.– AlexP
Dec 2 '16 at 9:00
1
Set the policy to REJECT and then ACCEPT only the ports in your list.
– phg
Dec 2 '16 at 9:12