How to block all incoming request through one network interface?
Solution 1
If you really want to block all incoming traffic from the WAN (or Internet), you can simply add a rule like the the following:
$ iptables -A INPUT -i eth0 -j DROP
assuming eth0
is the WAN interface. This is enough to block all incoming traffic. However, you need to allow all related/established connections to be able to request some service from the WAN/Internet. So, you need a rule like:
$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Of course the ACCEPT
rule should be added before the DROP
rule. Doing so will prevent you from hosting any service within your network.
Solution 2
iptables -A FORWARD -i eth0 -j DROP
Will not block incoming traffic. You should add rule on INPUT
chain, e.g.:
iptables -A INPUT -i eth0 -j DROP
Related videos on Youtube
steveyang
Updated on September 18, 2022Comments
-
steveyang over 1 year
Saying I have a linux server as a router from LAN to WAN. I don't want any incoming WAN request for safety issue. So how should I block all the incoming request through the WAN interface, but doesn't limit the LAN users' normal internet activity?
Which application should I use? (
iptables
?). Which service will be interrupted if I shut up all incoming traffic? -
steveyang about 12 yearsWhat do you mean by the last sentence "Doing so will you prevent you from hosting any service within your network"? What if I do want to provide service for my LAN user?
-
shrawani karpe about 12 yearsI think what Khaled meant was that your server won't be able to proivde any services to the outside like FTP, HTTP, etc.
-
Khaled about 12 years@hydroparadise: yes, that's right. Any connection from outside will be blocked.
-
Dan Lenski almost 8 yearsThis is incorrect and Kranthi Guttikonda's answer is right. You need to add the
DROP
rule on theINPUT
chain, not theFORWARD
chain.