Home / server / Questions / 573727
In Process
Leon
Asked: 2014-02-07 10:16:35 +0800 CST

iptables to block all but one port on PPP0

  • 772

I have 2 dsl accounts. One is general use which is setup on my router and the second is setup on a server. My router is secured nicely, but I noticed after setting up PPPoe on my server that the router security is completely bypassed and all ports on my server are essentially open to the world.

So I tried this do block all connections on PPP

iptables -A INPUT -i ppp0 -p tcp -j DROP
iptables -I INPUT -i ppp0 -p tcp --dport 563 -j ACCEPT

But now I cannot connect to or from port 563.

I suspect that I am fundamentally misunderstanding how iptables work.

linux

2 Answers

  1. Order matters! You're not going down the wrong route, but you need to change the order. Put the ACCEPT first, then the REJECT, and you'll be fine.

    • 1

  2. You need to set a few default rules, and then a policy for the rest. This is a nice starting point:

    iptables -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT --match comment --comment "Accept traffic from outgoing connections and stuff like FTP."
iptables -A INPUT -p icmp -j ACCEPT --match comment --comment "Allow ping"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT --match comment --comment "Allow SSH"
iptables -A INPUT --in-interface lo -j ACCEPT --match comment --comment "Allow everything on the localhost"
iptables -P INPUT DROP

    Then you can add your rule:

    iptables -A INPUT -i ppp0 -p tcp --dport 563 -j ACCEPT
    • 1