iptables blocking from internet side on eth1?

linux centos security iptables firewall
9,082

You can use -i device and -o device to match ethernet devices. E.g.,

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT # must allow machine to talk to itself, else much breakage.
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Or similar. You can also use -s/-d to filter on source and destination IP address.

I suggest naming your Ethernet interfaces, so that you could have -i lan & -i wan instead. You can name them in your udev rules. On Debian, you'd edit /etc/udev/rules.d/70-persistent-net.rules.

PS: When filtering your WAN interface, make sure DHCP still works, if you're using it. Else your connection will mysteriously break when the lease expires, which could be a while later.

Share:
9,082

Related videos on Youtube

I'll-Be-Back
Author by

I'll-Be-Back

Updated on September 18, 2022

Comments

  • I'll-Be-Back
    I'll-Be-Back over 1 year

    How to use iptables to deal with two Ethernet ports?

    eth0 port for LAN use (192.168.1.50 Private IP).

    eth1 port is connected to the internet via cable modem (80.0.xxx.xxx public IP).

    ifconfig outout:

    eth0      Link encap:Ethernet  HWaddr 00:19:99:C1:86:BB
          inet addr:192.168.1.50  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:137532 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55658 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:99968969 (95.3 MiB)  TX bytes:10403525 (9.9 MiB)
          Interrupt:50 Memory:fe700000-fe720000

eth1      Link encap:Ethernet  HWaddr 00:19:99:C1:61:3B
          inet addr:80.0.xxx.xxx  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:144558 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70347 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34500131 (32.9 MiB)  TX bytes:27893843 (26.6 MiB)
          Interrupt:177 Memory:fe600000-fe620000

    How to use iptables to block all the incoming route to eth1 but only allow port 22. So that on Internet side can't access to our web server, ftp server, etc. Only allow port 22 for SSH access. Ping should also work too.

    On the local network (eth0), there are over 70 client PC's - They should be able to access anything on the server but just block internal local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 (private ip) server.

    How can it be done using iptables?

  • I'll-Be-Back
    I'll-Be-Back about 11 years
    Sorry, I meant port 22 for SSH. I edited my answer. I am aware of iptables tutorial and I am familiar using one Ethernet port filtering but my question is about filtering two Ethernet ports. Could you kindly give me example from my question, thanks.
  • I'll-Be-Back
    I'll-Be-Back about 11 years
    Ah I see, thanks. Does iptables -P INPUT DROP refer to all ethernet devices? Which mean drop everything by default to all available ethernet devices?
  • derobert
    derobert about 11 years
    @I'll-Be-Back It sets what happens if no rule matches. I suggest at least skimming through the iptables manpage.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

iptables - Block incoming on Eth1 and Allow All from eth0
What prevents a machine from responding to pings?
blocking port 80 via iptables
IPtables string match for some URLs
What does an empty iptables mean?
Problems with multicasts in "iptables"
Iptables: Block all countries except my own for specific port
Why firewalld doesn't apply my drop rule?
Reset firewalld rules to default?
Why is this iptables file line failing in CentOS 6