Hi,
am about to have a system on the internet with a dedicated public ip address. i want all ports and services closed except the following ports and services.
port 22 or 7777 for tcp/ip for ssh
80 for http
100-200 for NTP
5555 for udp
How do i go about this using iptables? thanks.

The better approach is to close ALL ports and only open the ones you need. So you ports with the table defaults:

And then you can open individual ports as needed:

Of course you will need rules to allow outgoing traffic as well. I usually use state inspection for that:

Thanks for your reply hangdog42. assuming i dont want to use the default ssh 22 port but some other port, how do i go about that? i notice that your distro is slackware and am actually going to be doing this with a slackware box. how to i make login GUI default for slackware?

For the firewall, you just need to change the port after the --dport to match whatever port you are running SSH on. To run ssh on a different port, look at the Port directive in /etc/sshd_config.

By the way, moving the SSH port is NOT a security measure. The only thing it will do is cut down on the messages in your log file from the script kiddies. Make sure that you've properly configured SSH to not allow root login. You also might consider using key-based authentication instead of usernames/passwords. If you have a small number of users, using the AllowUsers directive is also a very good measure.

Edit your /etc/inittab file and look for this line (it is near the top)

Change the 3 to a 4 and Slackware will switch to a GUI login.

thanks again for your reply. i was actually of using redirect. to redirect traffic coming to port 22 to port 7777. would it have work this way?

Can I ask you to explain how your network is set up and a bit about why you are doing this? I'm not sure I understand why you would redirect traffic this way, but if you are then it could affect how you set up iptables.

ok. this is what i really want to do. i have been asked to configure a server that will be used to host WWLLN receiver at a site. the system will be online 24/7 so will require a dedicated ip. i have decided to use a dedicated public ip. the following ports will need to be opened. 22 or 7777 for tcp/ip ssh,80 for http, 100-200 for NTP and 5555 for udp to send data to WWLLN.for security, all interaction with this machine will be closed down except for a list of certain systems whose addreses i dont have yet. so you see this is what am working on.i just need to be sure am on the right course before i start the actual configuration.
Do you also know anything about configuring NTP on linux? most books i have consulted are not explainatory enough and how would the system be configured to allow communication with specific systems on the internet? thanks again for your help.

Thanks for the explanation, that helps.

I'm still not sure why you are redirecting incoming 22 to 7777. If I were in your shoes, I would just run ssh on port 22 and make sure it is locked down. Or just run it on 7777 and not worry about the redirection, and again make sure it is locked down. The other ports should be easy to open by modifying the rule I posted earlier.

Cool. Once you do have those addresses, I strongly suggest you use tcpwrappers to limit access to those addresses. Take a look at step 3 here for examples of how to do modify your hosts.allow and hosts.deny files. You could also do this in iptables, but I think using tcpwrappers is probably a bit easier to start.

My understanding is that you use the server directive in your /etc/ntp.conf file to point to specific systems. Have a look here for an example. Now one thing to keep in mind is that pointing to a specific server is considered rude unless you have permission to do so. It is usually best to just use the ntp pool servers that are in your area. Unless you have some highly specific need, having 3 or 4 pool servers in your ntp.conf file should keep things on time.

thanks for your answer. lets say i dont want to use tcpwrappers, how to i achieve the same with iptables? could u pls write out the code using arbituary ip address.and also hw do i run ssh on 7777 instead of the default? is that change done in ssh.config file or with iptables?

For every IP address you want to accept, you need something like this:

By the way this is one of the best iptables tutorials out there.

As for running ssh on 7777, you need to set that in your /etc/ssh/sshd_config file. Look for the Port line, set it to 7777 and restart sshd.

1 members found this post helpful.

Blocking outbound traffic is pointless. And just dropping packets will cause problems with some clients (eg IPsec BTN), and cause confusion when debugging network problems. And as this is not a router you can ignore the FORWARD chain. Also don't forget IPv6.

Could you elaborate as to why you feel this way, please? That's the least you could do, considering your comment conflicts with virtually every network security book ever written.

I was thinking this system is dedicated server, with nothing which that will initiate unwanted outbound connections.

BTW, you would want to allow outbound DNS and FTP to allow software updates.

What if "unauthorized" software gets involved? However, given the rule I suggested for the OUTPUT chain, really any traffic could get out without an issue.

Right, but a properly configured host-based firewall will be able to deny/limit any outbound connections from being made when the box gets a non-root user account cracked. Practically speaking, this means that a host-based firewall will reduce the risk of the attack spreading any further while you respond to the incident. This is one reason why it's a good idea to apply the same default deny methodology to outbound traffic. Personally, I start by allowing only outbound packets in states RELATED and ESTABLISHED – then I make any necessary exceptions.

Agreed, and this would be a good example of the exceptions I'm referring to. Additionally, the more specific you make them, the better. For example, don't just allow all outbound UDP packets with destination port 53 – specify which destination IPs these packets will need to have in order to be allowed.