1

Scanning with nmap, I discovered that there are 3 open ports on my server. I want to deny any access to these ports from any machine, regardless of whether it is on the same LAN or via WAN. How do I write an iptables rule for this?

Jeff Ferland
  • 38,329
  • 9
  • 96
  • 174
sophist
  • 51
  • 1
  • 5
  • What type of server is it? More details required about the operating system of the host with the open ports and any networking devices you have otherwise you will end up with a pretty generic answer :) – fixulate Mar 05 '13 at 13:47
  • I think it doesnt matter what type and what os is it! I just want generic answer :) – sophist Mar 05 '13 at 13:57
  • Well if its iptables, then Linux / IPtables, no? – Jeff Ferland Mar 05 '13 at 13:59
  • @sophist it matters a lot what type of system it is because the answer will vary greatly between Windows, Linux, BSD, etc. – John Downey Mar 05 '13 at 14:03
  • yes it's linux.. How to restrict connexion to those ports via lan and wan ? (i don't want any other machine except mine have access to those ports) Do u have an idea ? :) – sophist Mar 05 '13 at 14:03
  • 2
    You should indeed block them using iptables if other hosts should not have access - but you also need to work out why they are open in the first place and either remove redundant servers (i.e. daemons) or configure them so they don't listen on interfaces they shouldn't. – symcbean Mar 05 '13 at 14:30

3 Answers3

2

If you want to deny access to all the machines ("any machine from LAN and WAN") it is better to either stop those services or bind them to the localhost. This way there will be no chance of messing up iptable rules.

Still, you can use IPTABLES to block access to specific ports as well.

iptables -A INPUT -p tcp --destination-port <port of the service you want to block> -j DROP

Repeat the above rule for all the ports you want to block access to.

void_in
  • 5,621
  • 1
  • 23
  • 29
1

To close an individual port, you can do the following.

iptables -A INPUT ! -i lo -p tcp --dport 80 -j REJECT

Adjust tcp to be udp if that's the case, change 80 to the appropriate port. That will reject anything that didn't come from the local loopback interface.

See also Reject IP packets with an ICMP error, or just drop them?

Note that this solves the individual problem, but in a general sense you should explicitly allow which ports you wish to have open and then deny the rest. Particularly since you probably still want to access these ports from your the local machine, that adds a lot more convenience in rule writing as well.

Community
  • 1
Jeff Ferland
  • 38,329
  • 9
  • 96
  • 174
  • there are web services opening those ports..I think that this rule "iptables -A INPUT -p tcp --dport 80 -j REJECT" will deny any input, isn't it ? – sophist Mar 05 '13 at 14:13
  • @sophist Can you rewrite that? I can't understand what you tried to say. – Jeff Ferland Mar 05 '13 at 14:14
  • In fact there are 3 web services installed in my machine (= 3 open ports).. I have to deny any other machine connecting with the same lan and wan from using those ports..

    Is the rule u mentionned realize that ?

     – sophist Mar 05 '13 at 14:17
  • No, it does not. You'll need to set a rule for each port. – Jeff Ferland Mar 05 '13 at 14:33
0

Are you trying to block all open ports on a specific interface? If so, you can use the following command 

iptables -A INPUT -i <interfaceName> -j DROP

for example:

iptables -A INPUT -i eth0 -j DROP

where eth0 is usually for LAN interface

and

iptables -A INPUT -i eth1 -j DROP

usually for WAN

Alex
  • 422
  • 1
  • 8
  • 14
  • How can i know the interface name (lan and wan) ? – sophist Mar 05 '13 at 14:34
  • use the ifconfig -a. The last line for the interface description will contain Base address:0xe800 where 0xe800 stands for LAN interface and 0x2000 for WAN. There is a file on linux system which explains all these, I don't really remember where exactly it is situated on the system. Usually by default eth0 is for LAN and eth1 i for WAN. I hope I answered your question. – Alex Mar 05 '13 at 14:50