Originally Published: Wednesday, 13 June 2001 Author: David LeCount
Published to: enchance_articles_security/Advanced Security Articles Page: 2/3 - [Printable]

Linux.com Security: Firewalls; IPtables and Rules

Linux.com contributor David LeCount recently got jiggy with IPtables and router rules. Check out this fine article if you want to take the first steps towards securing your Linux box on the network.

  << Page 2 of 3  >>

Blocking Service Requests

What if we only wanted to ignore telnet requests from the target computer? Well, that's not very hard either. You might know that port 23 is for telnet, but you can just use the word telnet if you like. There are at least three protocols that can be specified: TCP, UDP, and ICMP. Telnet, like most services, runs on TCP so we're going with that. The -p option specifies the protocol. But TCP doesn't tell the computer everything; telnet is only a specific protocol used on the larger protocol of TCP. After we specify that the protocol is TCP, we can use --destination-port to denote the port that they're trying to contact us on. Make sure you don't get source and destination ports mixed up. Remember, the client can run on any port, it's the server that will be running the service on port 23. Any time you want to block out a certain service, you'll use --destination-port. The opposite is --source-port in case you need it. So let's put this all together. This should be the command that accomplishes what we want:

iptables -A INPUT -s -p tcp --destination-port telnet -j DROP

And there you go. If you wanted to specify a range of IP's, you could use This would specify any IP that matched 200.200.200.*.

Selective Blocking

Now it's time to fry some bigger fish. Let's say that, like me, you have a local area network and then you have a connection to the Internet. We're going to also say that the LAN is eth0 while the Internet connection is called ppp0. Now suppose we wanted to allow telnet to run as a service to computers on the LAN but not to the insecure Internet. Well there is an easy way to do this: We can use -i for the input interface and -o for the output interface. You could always block it on the OUTPUT chain, but we'd rather block it on the INPUT so that the telnet daemon never even sees the request. Therefore we'll use -i. This should set up just the rule:

iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP

So this should close off the port to anyone on the Internet yet keep it open to the LAN.

Note on Rule Order

Now before we go on to more intense stuff, I'd like to briefly explain other ways to manipulate rules. The -A option appends a rule to the end of the list, meaning any matching rule before it will have say before this one does. If we wanted to put a rule before the end of the chain, we use -I for insert. This will put the rule in a numerical location in the chain. For example, if we wanted to put it at the top of the INPUT chain, we'd use "-I INPUT 1" along with the rest of the command. Just change the 1 to whatever place you want it to be in. Now let's say we wanted to replace whatever rule was already in that location. Just use -R to replace a rule. It has the same syntax as -I and works the same way except that it deletes the rule at that position rather than bumping everything down. And finally, if you just want to delete a rule, use -D. This also has a similar syntax but you can either use a number for the rule or type out all the options that you would if you had created the rule. The number method is usually the optimal choice. There are two more simple options to learn though. -L lists all the rules set so far. This is obviously helpful when you forget where you are. AND -F flushes a certain chain. (It removes all of the rules on the chain.) If you don't specify a chain, it will flush everything.

  << Page 2 of 3  >>