Iptables rule to allow only one port and block others

centos iptables firewall netstat
15,001

We can make INPUT policy drop to block everything and allow specific ports only 

# allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow your application port
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT
# allow SSH 
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow localhost 
iptables -A INPUT -i lo -j ACCEPT
# block everything else 
iptables -A INPUT -j DROP

Another question, would this be the right way to test, or maybe I should use "netstat" command to see which port has connection established with the other ip?

Yes, you can check netstat -antop | grep app_port and you can also use strace :

strace -f -e trace=network -s 10000 PROCESS ARGUMENTS

To monitor an existing process with a known pid:

strace -p $( pgrep application_name) -f -e trace=network -s 10000
Share:
15,001

Related videos on Youtube

Gokul
Author by

Gokul

Updated on September 18, 2022

Comments

  • Gokul
    Gokul over 1 year

    We have two apps running (on top of linux) and both communicates through port 42605. I wanted to quickly verify if this is the only port that's been used for communication between them. I tried below rule, but it doesn't seems to work. So, just wanted to get this clarified, if I am doing it wrong.

    Following is the sequence of commands i ran

    iptables -I INPUT -j REJECT
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -I OUTPUT -p tcp --dport 42605 -j ACCEPT

    So, this will get added in reverse order since I am inserting it.

    I wanted to allow incoming and outgoing communications from and to 42605. Does the above rule looks good or am I doing it wrong?

    Another question, would this be the right way to test, or maybe I should use "netstat" command to see which port has connection established with the other ip?

    • Admin
      Admin about 10 years
      Since you're just doing research, instead of doing a -j REJECT you should do a -j LOG. This is because REJECT will drop the packet and send back an ICMP destination unreachable packet to the affected client. LOG will just send the packet information to syslog (on most systems it ends up in /var/log/messages) then the packet is processed normally. So REJECT will likely break the application (at least temporarily) and you're at the mercy of what THAT causes the app to do, versus just logging the information and doing a tail -f on /var/log/messages

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What prevents a machine from responding to pings?
iptables rules not reloading on CentOS 6.x
Blocking outgoing connects with iptables
blocking port 80 via iptables
Open a port in my CentOS
iptables blocking from internet side on eth1?
IPtables string match for some URLs
What does an empty iptables mean?
Problems with multicasts in "iptables"
MySQL / Firewall / Can't connect to MySQL server