Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )

Advanced DNS Management
New ZoneEdit. New Managment.


Sign Up Now
Reply to this topicStart new topic
> Ip Filtering, in Debian Linux
post Jan 5 2005, 06:13 PM
Post #1

Whats this Lie-nix Thing?

Group: Members
Posts: 16
Joined: 12-August 04
Member No.: 3,542

I'm running an FTP server on my linux machine, but it's probably insecure as hell. One of the things I'd like to do is set up an IP filter (I believe this is the correct term; it blocks a remote ip address on all ports). How would I go about doing that?
Go to the top of the page
+Quote Post
post Jan 6 2005, 04:16 AM
Post #2

Its GNU/

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069


well I would begin with something like this

cd /home
vi iptables

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

making the default rule DROP every packet that hits us

iptables -A input -s -j ACCEPT
iptables -A input -i eth0 -j ACCEPT
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT

so we allow localhost to send packets to the firewall
we allow eth0 wich is internal lan to send packets to the firewall
but we only allow packets that are related or established to be sent to us from the internet

iptables -A OUTPUT -s -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

we allow localhost to get out
we allow all packets to leave the firewall freely (it might be a good idea to later do some aditional port filtering, please check and run SHIELDSUP! [tm] and check what ports are vurneable to the most dangerous attack and you can block those ports, for example a virus hits you and it uses some well known port to spread , and if you block that port, you would do a great help to the rest of us by not allowing it to spread further from your location)

the forward rules are those stuff that go trough the firewall machine ... you should definitely read up a iptables howto ... for example there are really good documentations on tldp just tldp iptables howto

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
itpables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

we allow internal lan to go freely trough the firewall to eth1 (internet)
we only allow packets that we requested in some way to come back to us from the internet, see the NEW missing ?

for example then if you want to allow a certain ip address to access FTP services on !!!THIS!!! computer you would do the following

iptables -A INPUT -i eth1 -s -d yyy.yyy.yyy.yyy -p tcp -dport 21 -j ACCEPT

replacing with the remote host
replacing yyy.yyy.yyy.yyy with your public IP address

maybe you could also do it like this

iptables -A INPUT -i eth1 -s -p tcp -dport 21-j ACCEPT

finaly to put these rules into action you could do this

/etc/init.d/iptables stop
source /home/iptables
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start

if this works then maybe later you need to modify this you can create a bash script to do the above 4 lines like this

cd /home
vi change_iptables

then put this into that change_iptables file


/etc/init.d/iptables stop &&
source /home/iptables &&
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start

then do a
chmod 755 /home/change_iptables

and if you change something in /home/iptables and want to quickly apply it
just type



cd /home

Robert B

Robert Becskei
May the source be with us!
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
Go to the top of the page
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:


RSS Lo-Fi Version Time is now: 23rd June 2018 - 11:14 AM