LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-25-2006, 02:03 PM   #1
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Rep: Reputation: 30
Question Iptables


Hi all,
Need a little suggestion... I have a server that is serving web, dns, ftp, ssh, mysql. I was in need to block some malicious ports... thus i did the following...
Code:
# My default rules

$IPTABLES -A INPUT -p tcp -m multiport --destination-port 111,135,139,199,445,587,593,4444,6000 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --destination-port 69,135,137,138 -j DROP
Now I want to block all ports and then allow those services only. Note: The server is serving as DNS and by the same time time it looksup for unknown addresses. What can be a conf??
Mishu~~
 
Old 02-25-2006, 02:48 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 65
I would goto http://easyfwgen.morizot.net/gen/ . Answer the questions and it will generate a decent iptables script. This will create one that blocks all ports and then opens only the ones you added during the setup. 95% the best way to do it.

As far as the DNS lookup I persume you mean it cannot see itself as the external names. There requires a dnat statement. Check this link out for that if this is what you are talking about. http://www.linuxquestions.org/questi...postid=1944372

Brian1

Last edited by Brian1; 02-25-2006 at 02:50 PM.
 
Old 02-26-2006, 07:40 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
just create rules with an ACCEPT target for the packets you want to allow, much in the same manner as the DROP rules you've posted... then set your INPUT policy to DROP... this way any packets not matching your ACCEPT rules will go to DROP...

Code:
iptables -P INPUT DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 05:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration