Quote:
Originally Posted by nausicaavow
After looking through the Iptables tutorial I think a simple example will help me to get started with learning this.
Can someone show me what a simple IP filter script would look like for use in order to block all inbound (unsolicited) traffic by default.
I only want TCP port 22 open (ssh) to the world.
And TCP port 21 open (ftp) to the local network (192.168.1.xxx).
I want port 80 and 443 to function normally for browser use.
Thanks for the help!
|
Code:
# block all inbound (unsolicited) traffic by default:
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# I only want TCP port 22 open (ssh) to the world:
iptables -A INPUT -p TCP --dport 22 --syn -m state --state NEW -j ACCEPT
# And TCP port 21 open (ftp) to the local network (192.168.1.xxx):
iptables -A INPUT -p TCP --dport 21 -s 192.168.1.0/24 --syn -m state --state NEW -j ACCEPT
This assumes you only have one NIC, otherwise you should specify which NIC to match against.
As for outbound connections to ports 80 and 443, that would be done in the OUTPUT chain. But since these rules here aren't touching that chain then they will be allowed by default, so web browsing should work just fine.