How to block all ports except 80,443 with iptables?

Question

Blocking all ports(in and out) is easy but it's hard with the word "except". I don't know any rules that satisfies the condition.

PS: I know this question is nothing new. But in fact, I didn't find anything helps. So, help me pls!

Can't you close ALL ports and then OPEN a single port in the next line? — sinni800, Jun 17 '14 at 09:08
I do this: iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -I INPUT -p tcp --dport 80 -j ACCEPT ------ It's not work! — user71169, Jun 17 '14 at 09:14

cybernard · Accepted Answer · 2022-02-28T14:54:53.787

33

First the ! is the NOT symbol.

iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,443 -j DROP

Second, the rules you wrote may not have the expected results. You drop everything including the response to the connection on port 80. Therefore, you will not be able to connect to it says for the purposes of a web server.

These rules allow RELATED and ESTABLISHED connections so a web server should function, if that is in fact what your trying to do.

iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
<insert further allowed list here>
iptables -A INPUT -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j DROP

So its now 2022 and I thought I would update this briefly.

iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
<insert further allowed list here>
iptables -A INPUT -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED
iptables -A INPUT -j DROP
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j DROP

This update acknowledges that "-m state" is depreciated.

edited Feb 28 '22 at 14:54

answered Jun 18 '14 at 01:46

cybernard

13,380
3
29
33

2

Shouldn't `!` be escaped like this `\!`, if the Bash shell is used? – Cristian Ciupitu Jun 18 '14 at 02:02
@CristianCiupitu No it should not need to be escaped. You may have something weird going on, but on my bash I don't need to escape it. – cybernard Jun 18 '14 at 02:06
I checked output of "iptables -nvL" to see packages in connection. It seems to work, your rules. But I can't check It's really work or not except using some apps which using those ports. An App use a port doesn't mean It use that port only. So, any suggest to check? – user71169 Jun 18 '14 at 08:22
2

@cybernard, yes, you're right. A plain `!` doesn't need to be escaped. Sorry about the false alarm. – Cristian Ciupitu Jun 18 '14 at 09:20
@user71169 Yes. https://www.grc.com/x/ne.dll?bh0bkyd2 Click **Proceed** to have shields up scan the ports. It does not matter how many ports an app tries to use as my rules will prevent the traffic from reaching the other ports even if they are open/active. – cybernard Jun 19 '14 at 04:43
I ran the first command and I got disconnected from terminal which was used by ssh port. I am no longer able to login. what to do? – Mohd Shahid Jun 08 '16 at 07:21
3

@MohammadShahid Rules are not permanent automatically, reboot and it will be gone and you can login. You need to add 22 to the list of ports if you want to maintain a ssh connection. – cybernard Jun 08 '16 at 21:12
Would love to see an annotated version of this answer, with comments above each line explaining what is going on. – Elijah Lynn Feb 05 '20 at 03:37
Ok, it seems both `-m conntrack` and `-m state` are, in latest kernel, doing the same ("state" is deprecated and is "aliased" to "conntrack"). My question is why do we need this (state/conntrack) line in the INPUT chain? I mean, the line just above we ACCEPT everything with destination port 80/443. So why should we also accept connection with RELATED/ESTABLISHED states without taking care of port? – Tristan CHARBONNIER Feb 28 '22 at 03:33
@TristanCHARBONNIER The reason we have RELATED,ESTABLISHED alone is because we want ALL ports to be covered by this. Why? Because when a web server receives a connection request, it hands connect off to a random port number so port 80 is free to handle the next request. Also if the system is being used for anything else like web browsing, or even system updates the connection will also use a RANDOM port number. Therefore RELATED,ESTABLISHED can not have fixed port numbers. – cybernard Feb 28 '22 at 14:44
@TristanCHARBONNIER Regarding the "state" part, my original answer was posted in 2014, but now in 2022 if you have a modern version of IPTABLES then you make replace the "state" with "conntrack" references. So, if anyone comes through and is still using an OLD version of iptables they know what they have to do to succeed. – cybernard Feb 28 '22 at 14:49

score 7 · Answer 2 · answered Jun 17 '14 at 09:12

7

# Set the default policy of the INPUT chain to DROP
iptables -P INPUT DROP

# Accept incomming TCP connections from eth0 on port 80 and 443
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

This should give you what you need

answered Jun 17 '14 at 09:12

Fazer87

12,520
1
36
48

6

Remember if you are connected through SSH you should open TCP port 22 – Maximilian Ast Nov 08 '16 at 18:22
Yes don't forget about your SSH port, probably should add your SSH port before you set the default policy to drop. ;) – James Little Mar 19 '19 at 14:14

score 3 · Answer 3 · edited Dec 14 '14 at 18:43

3

You can set your default action to DROP, and then create exception rules to allow 80 and 443, like so:

# Setting default policies:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Exceptions to default policy
iptables -A INPUT -p tcp --dport 80 -j ACCEPT       # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT      # HTTPS

iptables will go through the list of 'exceptions' until it finds a match. It will then perform the action specified by the -j parameter (ACCEPT in this case). If it doesn't find a match, it will fall back to the default policy and drop the packet.

Note that with this workaround any sub-domains will be locked out. For example with this method you will have it working on www.mydomain.com all right but your subdomain let's say www.sub.mydomain.com will not open for DNS errors.

edited Dec 14 '14 at 18:43

Nifle

34,203
26
108
137

answered Jun 17 '14 at 09:11

mtak

16,513
2
52
64

It should be work but it's not. I'm so confuse. – user71169 Jun 17 '14 at 09:24
What doesn't work? Does it allow all incoming packets, or none? Can you update your question with the output of `iptables -nvL`? – mtak Jun 17 '14 at 10:05
Why the down vote? I have this running in production so I am 100% sure it works. – mtak Jun 17 '14 at 11:50
Sorry! It's not me, someone did that :)) Yep, You sure like I am but It's not work. That why I have to make the question. – user71169 Jun 18 '14 at 01:38
By the way the port numbers could be replaced with names from [services](http://man7.org/linux/man-pages/man5/services.5.html) i.e. `http` and `https`. – Cristian Ciupitu Jun 18 '14 at 02:08
4

Don't do this over `ssh`. – Ashesh Aug 04 '15 at 09:44
I thought DROP had the higher priority? – jjxtra Jan 16 '19 at 21:57

How to block all ports except 80,443 with iptables?

3 Answers3

Linked