To block all incoming traffic, but allow outgoing traffic, execute:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-m - specifies an extension module to test for a specific property. You can see a list of possible command line options for a specific module by adding on a -h after the "-m state" option, in this case, --state is the only available option for this module.
--state - specifies state to match, which can be [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED]
-j - jump to the specified target chain.
The last rule is saying to allow NEW and ESTABLISHED connections back in; in other words, any connection that originated from the host.
To block a specific source ip address, execute:
iptables -A INPUT -s 1.1.1.1 -j DROP
To block an entire source network, execute:
iptables -A INPUT -s 1.1.1.1/8 -j DROP
To block a specific port, execute:
iptables -A INPUT -p tcp --dport 80 -j DROP
-p - specify the protocol to inspect
--dport - specify the port to match
To block traffic to a specific destination host or destination subnet, execute:
iptables -A OUTPUT -d 1.1.1.1 -j DROP iptables -A OUTPUT -d 1.1.1.1/8 -j DROP
No comments:
Post a Comment