{ 11 comments… read them below or add one }

1 alireza sadeh seighalan March 24, 2008 at 9:17 am

how can i use this order in fedora core?

Reply

2 Thomas May 13, 2008 at 9:17 am

Blocking really _ALL_ traffic can cause undesired effects. In fact quite a few applications use the internal loopback interface for internal communication. So the following two rules should be added to allow this:

iptables -A INPUT -i lo
iptables -A OUTPUT -o lo

which allow all traffic via the loopback interface. This should be perfectly safe, even in a hostile environment since all external traffic is still blocked.

Reply

3 Liju July 4, 2008 at 3:22 pm

hi,

It’s better to disable the the network service than using such firewall

Reply

4 AndresVia December 27, 2008 at 12:16 am

@Thomas, a “-j ACCEPT” at the end of the commands is needed.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Reply

5 paul March 14, 2009 at 9:52 pm

“Please do not enter above command over remote ssh login session.”
Haha hillarious :D

Reply

6 terry March 23, 2009 at 12:47 am

Can someone help me to figure out how to use iptables to block all traffic from an IP address, I am not sure what the command would be.

Reply

7 nixCraft March 23, 2009 at 9:24 am
8 Pieter Van Gorp January 17, 2010 at 8:11 pm

Hi all,
thanks for your input. Unfortunately I don’t know how to extend these commands for a slightly more subtle scenario: I want to prevent users to move server content to the internet (=> iptables -P OUTPUT DROP on that server) but I do want to enable them to move content to the server (e.g., read e-mail, download attachments, …)

It seems that for general web browsing you do need output traffic (I guess just sending your request string??) but I was hoping that iptables could distinguish between control commands (e.g. sending a HTTP get from the machine to the internet) and actual file transfers from the machine to the internet…

Is my hope in vain or is there a solution?

Best regards and thanks in advance,
Pieter

Reply

9 james January 27, 2011 at 12:56 pm

Hi All,

I am very new to iptables and new to linux even. I am trying to allow all connections to my eth1 (public interface) except for the traffic coming in and out from udp ports 5060 until 5080 which should be only allowed for specific IP addresses. Here’s my config below:

iptables –flush
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 192.168.0.0/22 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/22 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

###DROP ALL 5060-5080 ports
#iptables -A INPUT -p udp –dport 5050:5080 -j DROP
#iptables -A INPUT -p udp –dport 5050:5080 -j DROP

###ALLOW ALL PORTS FOR KNOWN IP
iptables -A INPUT -p udp -s A.B.C.D –dport 5050:5080 -j ACCEPT
iptables -A INPUT -p udp -s E.F.G.H –dport 5050:5080 -j ACCEPT
iptables -A INPUT -p udp -s I.J.K.L –dport 5050:5080 -j ACCEPT

I tested it but I can still connect to that server using the 5061 port using other public ip which is not declared to be allowed.

Help Please…..

Thanks

Reply

10 Alan Smith April 16, 2011 at 3:09 pm

James,

Not sure if you have got any further with this I’m looking for the same sort solution as my Trixbox was hacked even though I ‘thought’ it was quite secure. I would say that you ought to consider blocking all ports from all IP’s that you do not know, not just the SIP ones.

Alan…

Reply

11 joe February 19, 2012 at 4:43 pm

iptables -A INPUT -s 192.168.0.0/22 -j ACCEPT
accepts all input from subnets 192.168.0.0, 192.168.1.0, 192.168.2.0 and 192.168.3.0
iptables -A OUTPUT -d 192.168.0.0/22 -j ACCEPT
accepts all output from subnets 192.168.0.0, 192.168.1.0, 192.168.2.0 and 192.168.3.0
you never reach your drop rules
joe

Reply

Leave a Comment

Tagged as: , , , , , ,

Previous post:

Next post: