Hi,

I'm trying to figure out how to use iptables. There seems to be no notion of ports in the specs for it. For example, lets say I want to DROP all packets coming in on port 21. How can I do that?

What I really want to do is dis-allow everything but what I need.... internet access, SSH, and HTTP sometimes. The other thing I can't figure out is how to do that. For example, just to block everything but internet access, I would have this:

./ipchains -P INPUT DROP
./ipchains -A -p tcp -j ACCEPT

With this, I still can't get Internet access.

All help is welcome. I am especially concerned about the ports.

Thanks,

For the ports you specify the destination port or the source port. To specify either of them you use the --dport or --sport options. A rule to allow SSH is


iptables -A INPUT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT


Your policies are set the same way as ipchains

iptables -P INPUT DROP

You should also include the following line at the top of your script, I mean make it your first rule.


# This one allows you to accept packets that have to do with an
# existing connection but come in on different ports. This is one
# of the reasons that iptables is preferred over ipchains
iptables -A INPUT -s 0/0 -d 0/0 -m state --state ESTABLISHED, RELATED -j ACCEPT


Joe

The reason that iptables doesn't appear to support ports is that iptables works on the IP layer -- layer 3 of the "OSI 7-layer model of networking". The concept of a "port" is only applicable at layer 4, TCP or UDP.

Another way of saying this is, the "port" field in a network packet is not in the IP header. It's in the TCP or UDP header.

And although port numbers are generally allocated for TCP and UDP as the same number for one service, they don't have to be.

So you need to tell iptables which protocol the packet is (-p tcp) before you tell it the source or destination port (--dport 80 or --dport 22 or whatever).