Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Ariel on January 12, 2004, 02:24:46 AM
-
in what way block all ports one range ip specific and permit ports 21,25,80,110 only other range ip specific?.
Thank for helpme
-
iptables or ipchains?
-
I tried with /sbin/iptables -A FORWARD -p TCP --dport 1863 -j REJECT
and dont worked, can you send me an example; and if there is any command to block all ports.
Thanks.
-
Hi Ariel,
I have added this script to my sme5.6 server to drop unwanted/unecessary ports on the firewall:
#!/bin/bash
# The following rules drop inbound connections to ports: 110,143,113
# they are not needed for this environment as all access is through
ssh and https.
# last line drops pings to the firewall's external interface
#
iptables -I INPUT -i eth1 -p tcp --dport 110 -j DROP
iptables -I INPUT -i eth1 -p tcp --dport 143 -j DROP
iptables -I INPUT -i eth1 -p tcp --dport 113 -j DROP
iptables -I INPUT -i eth1 -p icmp --icmp-type 8 -j DROP
Login as root. Create a file called "dropextra" with the above contents and any other ports you want dropped using the template, make it executable with :
[root@sme5.6 root]# chmod +x dropextra
Assuming your Internet ethernet interface is eth1 (default) you can adjust this for any additional ports/protocols. If you would like it to take effect on reboot and assuming you created the file in the root home directory just do this:
[root@sme5.6 root]# echo "/root/dropextra" >> /etc/rc.d/rc.local
Cheers
-m
[%sig%]
-
Ariel,
Here is a scan of my firewall from the outside to verify that everything worked (real hostnames altered):
[root@otherhost root]# nmap -P0 -sS sme56.somewhere.net
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on sme56.somewhere.net:
(The 1596 ports scanned but not shown below are in state: filtered)
Port State Service
25/tcp open smtp
80/tcp open http
443/tcp open https
This output is after activating the rules in my previous email. Let me know if you have any further questions.
-m