How to block all ports except port 21,22,80,8080 ???

How to block all ports except port 21,22,80,8080 ???

[jacob_chan]

How to block all ports except port 21,22,80,8080 ???

Dear all,

I want to block all ports except port 21,22,80,8080.

Any help appreciated.

Best regards,

Jacob

Re: How to block all ports except port 21,22,80,8080 ???

[Ralf Spenneberg]

Am Die, 2003-02-18 um 09.12 schrieb jacob_chan:
> How to block all ports except port 21,22,80,8080 ???
> 
> Dear all,
> 
> I want to block all ports except port 21,22,80,8080.
Block for what? Input? What protocol? TCP? 
iptables -A INPUT -p tcp ! --dport 21,22,80,8080 -j DROP

Cheers,

Ralf
> 
> Any help appreciated.
> 
> Best regards,
> 
> Jacob
-- 
Ralf Spenneberg
RHCE, RHCX

IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

Re: How to block all ports except port 21,22,80,8080 ???

[Joel Newkirk]

On Tuesday 18 February 2003 03:12 am, jacob_chan wrote:
> How to block all ports except port 21,22,80,8080 ???
>
> Dear all,
>
> I want to block all ports except port 21,22,80,8080.
>
> Any help appreciated.
>
> Best regards,
>
> Jacob

If you mean on input, try:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp -m multiport --dport 21,22,80,8080 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

These will allow nothing in, nothing out, nothing forwarded, except the 
four specified TCP ports, replies, and associated traffic.  You'd also 
need "insmod ip_conntrack_ftp" for both passive and active FTP to work, 
so that all data communications would be RELATED to the control port 21. 
(and "insmod ip_conntrack" if you don't have it already, for the state 
match to work)

j

Re: How to block all ports except port 21,22,80,8080 ???

[Ralf Spenneberg]

Am Die, 2003-02-18 um 09.57 schrieb Ralf Spenneberg:
> Am Die, 2003-02-18 um 09.12 schrieb jacob_chan:
> > How to block all ports except port 21,22,80,8080 ???
> > 
> > Dear all,
> > 
> > I want to block all ports except port 21,22,80,8080.
> Block for what? Input? What protocol? TCP? 
> iptables -A INPUT -p tcp ! --dport 21,22,80,8080 -j DROP
Missed the multiport part:

iptables -A INPUT -p tcp -m multiport ! --dport 21,22,80,8080 -j DROP

> Cheers,
> 
> Ralf
> > 
> > Any help appreciated.
> > 
> > Best regards,
> > 
> > Jacob
> -- 
> Ralf Spenneberg
> RHCE, RHCX
> 
> IPsec/PPTP Kernels for Red Hat Linux:  
> http://www.spenneberg.com/.net/.org/.de
> Honeynet Project Mirror:                http://honeynet.spenneberg.org
> Snort Mirror:                           http://snort.spenneberg.org
-- 
Ralf Spenneberg
RHCE, RHCX

IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

Re: How to block all ports except port 21,22,80,8080 ???

[Patrick Maartense]

it would be MUCH better to

iptables -p INPUT DROP # default drop
then allow only these ports
iptables -A INPUT -p tcp -m multiport  --dport 21,22,80,8080 -j ACCEPT

safe thinking: Default : drop, allow only what needed.



Ralf Spenneberg wrote:

> Am Die, 2003-02-18 um 09.57 schrieb Ralf Spenneberg:
> > Am Die, 2003-02-18 um 09.12 schrieb jacob_chan:
> > > How to block all ports except port 21,22,80,8080 ???
> > >
> > > Dear all,
> > >
> > > I want to block all ports except port 21,22,80,8080.
> > Block for what? Input? What protocol? TCP?
> > iptables -A INPUT -p tcp ! --dport 21,22,80,8080 -j DROP
> Missed the multiport part:
>
> iptables -A INPUT -p tcp -m multiport ! --dport 21,22,80,8080 -j DROP
>
> > Cheers,
> >
> > Ralf
> > >
> > > Any help appreciated.
> > >
> > > Best regards,
> > >
> > > Jacob
> > --
> > Ralf Spenneberg
> > RHCE, RHCX
> >
> > IPsec/PPTP Kernels for Red Hat Linux:
> > http://www.spenneberg.com/.net/.org/.de
> > Honeynet Project Mirror:                http://honeynet.spenneberg.org
> > Snort Mirror:                           http://snort.spenneberg.org
> --
> Ralf Spenneberg
> RHCE, RHCX
>
> IPsec/PPTP Kernels for Red Hat Linux:
> http://www.spenneberg.com/.net/.org/.de
> Honeynet Project Mirror:                http://honeynet.spenneberg.org
> Snort Mirror:                           http://snort.spenneberg.org

Re2: How to block all ports except port 21,22,80,8080 ???

[Pablo Allietti]

> On Tue, Feb 18, 2003 at 11:15:21AM +0100, Patrick Maartense wrote:
> > it would be MUCH better to
> > 
> > iptables -p INPUT DROP # default drop
> > then allow only these ports
> > iptables -A INPUT -p tcp -m multiport  --dport 21,22,80,8080 -j ACCEPT
> > 
> > safe thinking: Default : drop, allow only what needed.
> 
> And it's allways a good idea to allow traffic from loopback:
> 
 iptables -A INPUT -i lo -j ACCEPT

Another Question when i put this line in iptables -L say

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere


whit this i do open all ports for any connection of outside?????


who is the line to permit all inside to outside??



> 
> I heard people telling that ssh is using 22/udp as well. I'm not sure if
> that's true, though i haven't found any sshd which ever bind()ed to 22/udp.
> Anyone more information?
> 
> Allowing ICMP should be mandatory as well, otherwise you'll create another
> PMTU blackhole and you'll miss almost all error messages. And sending real
> errormessages like tcp-reset and ICMP port unreachable is a good thing, too.
> You can limit them, if you like.
> 
> iptables -A INPUT -p icmp -m limit --limit 5/s -j ACCEPT
> iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset # limit if you like
> iptables -A INPUT -j REJECT     # and that one as well
> # implicit DROP due to default policy should happen here
> 
> Alex.
>  
> 
> -- 
> "Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
> Instructions for use of this post: Insert tounge in cheek. Read as normal.


---end quoted text---

-- 

Pablo Allietti

LACNIC 

Registro de Direcciones de Internet para America Latina y el Caribe
Registro de Enderecamento de Internet para America Latina e Caribe
Latin American and Caribbean Internet Addresses Registry

Re: How to block all ports except port 21,22,80,8080 ???

[Ralf Spenneberg]

Am Die, 2003-02-18 um 11.15 schrieb Patrick Maartense:
> it would be MUCH better to
> 
> iptables -p INPUT DROP # default drop
> then allow only these ports
> iptables -A INPUT -p tcp -m multiport  --dport 21,22,80,8080 -j ACCEPT
Sure. Even this little script has to be improved to be accepted as a
"firewall script". Stuff like Conntrack, Egress and Ingress Filter are
missing. 
But a short questions gets a short answer.

Cheers,

Ralf

-- 
Ralf Spenneberg
RHCE, RHCX

IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

How to Block MSN

[Miguel Amador L.]

How to block MSN Messenger ?
when MSN search Proxy server... send a HTTP HEADER... how to block this HEAD 
with iptables ? (with out Squid) 

C U 

Miguel Angel Amador L.
e-mail:amador@puc.cl 

Re: How to Block MSN

[Arnt Karlsen]

On Tue, 18 Feb 2003 13:40:09 GMT, 
"Miguel Amador L." <amador@puc.cl> wrote in message 
<20030218134009.93454.qmail@smtp.puc.cl>:

> How to block MSN Messenger ?
> when MSN search Proxy server... send a HTTP HEADER... how to block
> this HEAD with iptables ? (with out Squid) 

..block?  Have fun style: 
http://www.opera.com/pressreleases/en/2003/02/14/

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: How to block all ports except port 21,22,80,8080 ???

[Alexander W. Janssen]

[-- Attachment #1: Type: text/plain, Size: 1285 bytes --]

On Tue, Feb 18, 2003 at 11:15:21AM +0100, Patrick Maartense wrote:
> it would be MUCH better to
> 
> iptables -p INPUT DROP # default drop
> then allow only these ports
> iptables -A INPUT -p tcp -m multiport  --dport 21,22,80,8080 -j ACCEPT
> 
> safe thinking: Default : drop, allow only what needed.

And it's allways a good idea to allow traffic from loopback:

iptables -A INPUT -i lo -j ACCEPT

I heard people telling that ssh is using 22/udp as well. I'm not sure if
that's true, though i haven't found any sshd which ever bind()ed to 22/udp.
Anyone more information?

Allowing ICMP should be mandatory as well, otherwise you'll create another
PMTU blackhole and you'll miss almost all error messages. And sending real
errormessages like tcp-reset and ICMP port unreachable is a good thing, too.
You can limit them, if you like.

iptables -A INPUT -p icmp -m limit --limit 5/s -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset # limit if you like
iptables -A INPUT -j REJECT     # and that one as well
# implicit DROP due to default policy should happen here

Alex.
 

-- 
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.

[-- Attachment #2: Type: application/pgp-signature, Size: 248 bytes --]

Re: How to block all ports except port 21,22,80,8080 ???

[Alexander W. Janssen]

[-- Attachment #1: Type: text/plain, Size: 683 bytes --]

On Tue, Feb 18, 2003 at 03:19:19PM +0300, Pablo Allietti wrote:
>  iptables -A INPUT -i lo -j ACCEPT
> 
> Another Question when i put this line in iptables -L say
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> 
> whit this i do open all ports for any connection of outside?????

No it won't. Try "iptables -vnL" instead, it will show you that the rule is
limited to traffic coming from the lo-interface.
 
Alex.

-- 
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.

[-- Attachment #2: Type: application/pgp-signature, Size: 248 bytes --]

Re: Re2: How to block all ports except port 21,22,80,8080 ???

[Alexander W. Janssen]

[-- Attachment #1: Type: text/plain, Size: 1900 bytes --]

On Tue, Feb 18, 2003 at 03:19:19PM +0300, Pablo Allietti wrote:
> who is the line to permit all inside to outside??

None of them. You got to differ between to different topics: The traffic
originating on the firewall itself and the forwarded traffic.

If traffic originates on the firewall it will leave the machine through the
OUTPUT chain. Traffic which is destined for the firewall itself will enter the
machine through the INPUT chain. This is what you did. To be correct, there is
a problem: Even if you allow traffic leaving the box through the OUTPUT chain,
you have to permit the answers to that traffic to *enter* the firewall again.
Therefore you should include that line into you firewall-skript, preferably as
the first statement in the INPUT-chain, since is the most used rule ever:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Explaining that rule is somewhat beyond the scope of this email, but i suggest
you reading one of the tutorials at [1].

Traffic which is forwarded by the firewall is filtered in the FORWARD chain.
So, for example, if your internet-interface is eth0 and your internal
interface is eth1 and you just want to allow the internal machines accessing
the ouside world, you would to something like that:

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset # everything else
iptables -A FORWARD -j REJECT # reject everything else
                              # with icmp-port-unreachable
# implicit DROP due to policy happens here

Alex.



[1] http://www.netfilter.org/documentation/index.html

-- 
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.

[-- Attachment #2: Type: application/pgp-signature, Size: 248 bytes --]