blocking port 80 via iptables
10,619
Solution 1
Don't use state for DROP rule.
If you don't know if your http server is tcp and/or udp you should drop udp too.
# Q:I dont understand though why my rules keeps letting me in
# A:clean the chains 1st
iptables -F
iptables -X
iptables -Z
# Set default policy to DROP if not matched by any rule
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Accept incoming connections only if previously established.
iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow to create/ESTABLISH outgoing connections.
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Default policy is set to DROP so we don't need these
#iptables -A INPUT -p udp --dport 80 -j DROP
#iptables -A INPUT -p tcp --dport 80 -j DROP
Solution 2
You should set your INPUT chain policy to DROP, your OUTPUT chain policy to ACCEPT, and then open up only those ports that you want to allow. Something like this:
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP # Probably a good idea too.
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# Now allow TCP SYN packets in to certain ports. Once they are ACK'ed,
# the above rule for ESTABLISHED connections takes over and lets traffic flow.
/sbin/iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
Related videos on Youtube
Author by
JoyIan Yee-Hernandez
Updated on September 18, 2022Comments
-
JoyIan Yee-Hernandez over 1 year
I'm having problems with iptables. I am trying to block port 80 from the outside, basically plan is we just need to Tunnel via SSH then we can get on the GUI etc. on a server
I have this in my rule:
Chain OUTPUT (policy ACCEPT 28145 packets, 14M bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
And
Chain INPUT (policy DROP 41 packets, 6041 bytes) 0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
Any guys wanna share some insights?
-
JoyIan Yee-Hernandez over 11 yearsThanks for the input Fran but what I dont understand though why my rules keeps letting me in port 80: iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP and iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j DROP
-
Fran over 11 yearsAre the packets coming in on eth0 or some other interface? Also check for some rule in front of the one you showed me that may allow the traffic. If that rule gets hit first, your rule never has any effect.
-
Fran over 11 yearsBTW, your output in the question shows
eth1
but now you're asking abouteth0
. Do you know which interface the packets arrive at?