Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Have a look at this tutorial for all the options...
Using LOKKIT (cough, cough) will make a set of rules in /etc/sysconfig/iptables
Adding the rules above needs to be done after the LOKKIT rules are active, then do service iptables save to make them permanent. iptables-save prints all active rules to the screen.
I second Peter's recommendation of that tutorial..read it 3 times before you try anything.
You should also be aware that LOKKIT is, um, *not well regarded*, and perhaps you would do better creating a rules script on your own. It might be a little intimidating at first but you will almost certainly end up with a better set of rules.
You should consider adding a rule that accepts packets bound to already-established sessions:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Peter, the rules you posted look good to Me, but I wonder if Beuzekom needs UDP also.
Jo thanks ... did loads of reading and got things working!
You are right- initially the syntax is a kind of strange but once you tried some thing it is really easy! I configured all specific ports and for the internal network I even do some mac checking :-) .... and whatever is not defined in the chain is dropped
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
I'd recommend you don't use the -s 0/0 -d 0/0 matches..
It's an unecessary use of processor time and there are some packets which won't match against an ip number.
If that rule is going to be last, change the chain POLICY to DROP instead and maybe add a logging line to see what has been dropped.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.