Alexandr Shurigin wrote: > hello huys > > I have trouble. i readed and readed and think better i ask professionals :) > > I have server which must have shared only 80 and 22 ports. all other > ports i want to close by iptables. > > Which rules i must use ? > > Thanks. have a good day :) > > -- > С уважением, Александр Шурыгин > icq 254106594 > email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > phone: +7 902 265 81 66 Hello
There are some ways to do that and it depends of many things. For example: # Deny all iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Allowing incoming http traffic iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allowing outgoing established and related http traffic iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT #Allowing incoming ssh traffic iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allowing outgoing established and related ssh traffic iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT #If you want to update your server from the Internet you should allow #dns communication and outgoing http traffic iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT You could use the multiport module and here it is another example: iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED,RELATED -j ACCEPT There are many possibilities and a think you should read this material, it is very good: http://www.sns.ias.edu/~jns/files/iptables_ruleset http://linuxgazette.net/108/odonovan.html If you have any questions, please, put it here. Bye. Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]