LinuxQuestions.org - iptables doesn't work as expected

- Red Hat (http://www.linuxquestions.org/questions/red-hat-31/)

- - iptables doesn't work as expected (http://www.linuxquestions.org/questions/red-hat-31/iptables-doesnt-work-as-expected-4175446039/)

rluo	01-17-2013 10:08 AM

iptables doesn't work as expected

Hi All,
I want to use the command below to block port 23 for all IPs except one 192.168.1.11:
#iptables -A INPUT ! -s 192.168.1.11 -p tcp --dport 23 -j DROP

after I am done and restart iptables, all other IPs can still telnet it. not sure if anyone knows what my problem is?

thanks,
Ray

david1941

01-17-2013 10:36 AM

The -A flag means "append" to the chain. Of course all the previous rules would then apply. You might want your rule inserted earlier than the others. In that case use the "-I" insert flag.

rluo	01-17-2013 12:13 PM

Quote:

Originally Posted by david1941 (Post 4872278)

The -A flag means "append" to the chain. Of course all the previous rules would then apply. You might want your rule inserted earlier than the others. In that case use the "-I" insert flag.

Thanks, David. It works now for both -A and -I. The problem was I restarted iptables after I FLUSH the current firewall rules.

wstewart

01-18-2013 12:34 AM

The more common and more secure way to do this would be to just block all inbound traffic and only allow the traffic that you want in your network. That way you don't have to go around blocking every single port that you want to be secured and instead only add the ports that you want to open as an exception Since there would be tens of thousands of ports to lock down.

iptables -P INPUT DROP
iptables -A INPUT -s 192.168.1.11 -p tcp --dport 23 -j ACCEPT

All times are GMT -5. The time now is 03:18 AM.