Blocking specific ports on IPTABLES
I'm trying to block ports (just using 21 as an example).
I tried using: $IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j DROP I saw that off an example on another post, I also tried: $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j denied (also DROP, reject, etc). When I go to run the firewall again, it runs fine, but on nmaping the machine and also ftping from the outside, it still allows access. Still showing open. I also tried adding an -N denied (DROP, reject, etc) with no luck on that. Can anybody please inform me of how I should go about doing this? Also another question, how can I allow unrestricted access from a specific subnet? |
Is your external (internet) interface eth0 or is that your LAN? If you have the wrong interface, the external scan will still show the port as open. A simpler approach might be to have a default policy of drop for the input chain and then allowing ports as you need them.
Have a look through http://www.netfilter.org/documentation/ and http://iptables-tutorial.frozentux.n...-tutorial.html - they both provide useful information. |
eth0 WAN
eth1 LAN I'm doing an nmap/ftp test from externally. I know I have the right interface. |
The following should drop anything coming in on tcp port 21 on eth0:
Code:
iptables -A INPUT -p tcp --dport 21 -j DROP |
Code:
iptables: Chain already exists Chain names I have right now are "allowed" "tcp_packets" "udp_packets" and "icmp_packets", don't know if that matters. |
DROP is one of the default targets. Posting your existing configuration might help us find the source of all the problems.
|
Do you mind posting the whole script so we can try and step through it?
|
Might be a silly question but are you doing a iptables-restore < your script? after you edited?
|
Code:
INET_IP="70.121.144.215" |
All times are GMT -5. The time now is 06:57 PM. |