Hi,

I am using ubuntu 10.04. I am running a service on port 8001, and I would like to drop all connections on that port (tcp, udp, etc) that do not come from the localhost.

Here is my current iptable to drop tcp:

iptables -A INPUT -j DROP -p tcp --destination-port 8001 -i eth0

In some sense this kind of works because when I run this, the service is not accessible outside of the localhost. However, by adding this iptables rule, when an outside connection is made to that port, the connection hangs for quite a while before dropping the connection. It hangs even if I do not run a service on that port.

For example even when I do not run a service, if I telent to port 8001 from the outside it hangs before dropping the connection. But if I telnet to another port, say 8002, it immediately rejects the connection. So, I presume it is something with how my iptable is setup that causes the hang.

Also, how do I change it to drop all protocols, not just tcp. I thought I could just change it to:

iptables -A INPUT -j DROP -p all --destination-port 8001 -i eth0

But that gives an error : iptables v1.4.4: unknown option `--destination-port'

Thanks for any help.

-Adam

REJECT instead of DROP to send back a rejection packet, otherwise the connection will always seem hanging, because you're dropping it without notification to the other side (I prefer that).

Also, you're doing it wrong. You should drop or reject by default, and only allow services that require outside connection. You can do that with a policy setting (-P), I prefer that, but you'll lock yourself out of the ssh if you're not careful.

Otherwise do (in this order, for INPUT chain on eth0):

- allow all established, related
- allow ports x,y,z
- drop or reject whatever remains

that makes sense about the drop vs reject. Thanks for the clarification. And yes, you are correct that I am doing it backwards, once I get things in my head regarding the iptables, I will certainly switch towards your recommendation.

Do you have any thoughts on how to drop all protocals, not just tcp (without creating a new rule for each protocal). If I do the following it gives me an error that --destination-port is an unknown option.

iptables -A INPUT -j DROP -p all --destination-port 8001 -i eth0

Even if I leave out the -p option (which I thought would default to "all"), then it also gives me the above error? Any thoughts?

-Adam

Destination port is extension available only if you specify proto tcp or udp, afaik, so you must list it for each proto.

Hence the right way is to block everything by default and allow only specific services, because you'll never have a service listen to both udp and tcp on the same port.

BTW, keep in mind that if you use -P INPUT REJECT (or DROP), it applies to all interfaces. Loopback is an interface too ("lo"), so you'll need to

iptables -A INPUT -i lo -j ACCEPT

DNS. Though most people don't need to run DNS servers, and I can't think of any other examples.

_________________
Matt Nordhoff (aka Peng on IRC)

Thanks everyone for your help and your clarification. I followed the advice given and I drop everything and only open up what I need. nmap seems to be indicating that things are working. Thanks again Linode community!

Right. I stand corrected.

You've gone a different route, but to answer your original question, you could have added "--reject-with icmp-port-unreachable" to your iptables rule.

Which is equivalent to "-j REJECT", no?

_________________
Matt Nordhoff (aka Peng on IRC)