21

How can I block all ports except for 1962, 999, 12020?

One port for SSH and two others for a kind of script. So, it's necessary to allow outgoing on these ports, right?

My iptables:

# Generated by iptables-save v1.4.4 on Sat Feb 25 17:25:21 2012
*mangle
:PREROUTING ACCEPT [643521:136954367]
:INPUT ACCEPT [643521:136954367]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [645723:99904505]
:POSTROUTING ACCEPT [645723:99904505]
COMMIT
# Completed on Sat Feb 25 17:25:21 2012
# Generated by iptables-save v1.4.4 on Sat Feb 25 17:25:21 2012
*filter
:INPUT ACCEPT [643490:136950781]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [645723:99904505]
-A INPUT -p tcp -m tcp --dport 1962 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 999 -j ACCEPT 
COMMIT
# Completed on Sat Feb 25 17:25:21 2012
# Generated by iptables-save v1.4.4 on Sat Feb 25 17:25:21 2012
*nat
:PREROUTING ACCEPT [5673:734891]
:POSTROUTING ACCEPT [2816:179474]
:OUTPUT ACCEPT [2816:179474]
COMMIT
# Completed on Sat Feb 25 17:25:21 2012

Sorry, but I'm a real newbie when it comes to this stuff and I just want make my server more secure.

PersonalNexus
  • 292
  • 2
  • 11
okapa
  • 313
  • 1
  • 2
  • 4

2 Answers2

24

At first you should always flush to be sure whats already defined… nothing

iptables -F

Then set the default policy of the INPUT chain to DROP if the end is reached and no rule matched:

iptables -P INPUT DROP

To ensure the loopback is not affacted you should add

iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

to allow all traffic on the lo-if and every incomming traffic for connections you etablished. After that add every rule you need for your services (don't forget to open ssh if you need it! else you're out):

iptables -A INPUT -p tcp -m tcp --dport 1962 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 999 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 12020 -j ACCEPT

A little trick I do to keep myself and others from accidentally drilling holes into the security I finally add:

iptables -A INPUT -j DROP

This line matches everything for the INPUT chain and the policy should not get anything. advantage of this is even if you add an ACCEPT-rule sometime after initializing your ruleset it will never become checked because everything is droped before. so it ensures you have to keep everything in one place.

For your question the whole thing looks like this in summary:

iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 1962 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 999 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 12020 -j ACCEPT 
iptables -A INPUT -j DROP
Mose
  • 654
  • 8
  • 15
  • 1
    Just to clarify: `-P` sets the policy on the chain. It is not actually adding a rule. The policy of the chain indicates the action to be performed on the packet if the end of the chain is reached. Because of that, it's smart to add your rules *before* setting a `DROP` policy. – Belmin Fernandez Feb 26 '12 at 23:35
  • If I remember it correctly, normally it doesn't matter where to set the policy… maybe I should give my answer a little edit. – Mose Feb 27 '12 at 01:36
  • 4
    one note: be very careful setting default policy deny and flushing when setting up a firewall via ssh. You'll lock yourself out. Yes, i have done this. :-) Now i typically make the last rule `iptables -A INPUT -j DROP` instead, for that very reason. – Sirex Feb 27 '12 at 11:31
  • I highlighted my ssh warning a bit ;-) – Mose Feb 27 '12 at 11:47
  • @Mose: Correct on it not mattering generally. I was trying to highlight that. But it could cause you to be locked out as it has already been mentioned heh. – Belmin Fernandez Feb 27 '12 at 12:12
  • @Sirex: I tend to do the opposite because, in a lot of my servers, `iptables` is managed by Puppet so I depend on setting a policy instead of a drippan rule so that rule ordering does not matter. I just combine the `iptables` save command with setting the `DROP` policy. – Belmin Fernandez Feb 27 '12 at 12:15
23

A reply from a newbie just like you :-) I needed to secure my Ubuntu server as well, learning iptables was a pain I could not get through. UFW (Uncomplicated Firewall) is a program to make firewall configuration as easy as possible.

  • install ufw: 

    sudo apt-get install ufw

  • disable it immediately (I had to rescue-boot because I was locked out of my own SSH login):

    sudo ufw disable

  • set "deny" as default rule (this blocks all ports):

    sudo ufw default deny

  • allow ports you need:

    sudo ufw allow to 1962
sudo ufw allow to 999
sudo ufw allow to 12020

sudo ufw allow from 1962
sudo ufw allow from 999
sudo ufw allow from 12020

  • if you're certain the rules above do not break your ssh connection, enable ufw:

    sudo ufw enable

Docs are well written and provide more examples: https://help.ubuntu.com/community/UFW

user123456
  • 513
  • 1
  • 6
  • 18
Vlad Gerasimov
  • 351
  • 1
  • 3
  • 2
    When working with firewall configurations, it may be a good idea to create a cron job that disables the firewall again. Just in case you get locked out. – pymkin Apr 19 '14 at 23:09
  • Note that this doesn't work with ufw 0.35, throwing errors like `ERROR: Bad destination address` and `ERROR: Bad source address` – Dave Aug 08 '17 at 08:56
  • And how to allow all ports except one port for a specific interface? I am using the default deny rule and want to block DNS port 53 on ethernet interface to prevent DNS leak when using a VPN. Currently I have to allow all ports that I want to use for private IP ranges which is not very convenient. – baptx Jan 13 '18 at 19:19