Home / server / Questions / 376272
In Process
steveyang
Asked: 2012-04-04 05:18:59 +0800 CST

How to block all incoming request through one network interface?

  • 772

Saying I have a linux server as a router from LAN to WAN. I don't want any incoming WAN request for safety issue. So how should I block all the incoming request through the WAN interface, but doesn't limit the LAN users' normal internet activity?

Which application should I use? (iptables?). Which service will be interrupted if I shut up all incoming traffic?

firewall networking iptables interface

2 Answers

  1. If you really want to block all incoming traffic from the WAN (or Internet), you can simply add a rule like the the following:

    $ iptables -A INPUT -i eth0 -j DROP

    assuming eth0 is the WAN interface. This is enough to block all incoming traffic. However, you need to allow all related/established connections to be able to request some service from the WAN/Internet. So, you need a rule like:

    $ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    Of course the ACCEPT rule should be added before the DROP rule. Doing so will prevent you from hosting any service within your network.

    • 12 
  2. iptables -A FORWARD -i eth0 -j DROP

    Will not block incoming traffic. You should add rule on INPUT chain, e.g.:

    iptables -A INPUT -i eth0 -j DROP
    • 2