Iptables – How to block all incoming request through one network interface

firewallinterfaceiptablesnetworking

Saying I have a linux server as a router from LAN to WAN.
I don't want any incoming WAN request for safety issue.
So how should I block all the incoming request through the WAN interface, but doesn't limit the LAN users' normal internet activity?

Which application should I use? (iptables?). Which service will be interrupted if I shut up all incoming traffic?

Best Answer

If you really want to block all incoming traffic from the WAN (or Internet), you can simply add a rule like the the following:

$ iptables -A INPUT -i eth0 -j DROP

assuming eth0 is the WAN interface. This is enough to block all incoming traffic. However, you need to allow all related/established connections to be able to request some service from the WAN/Internet. So, you need a rule like:

$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Of course the ACCEPT rule should be added before the DROP rule. Doing so will prevent you from hosting any service within your network.

Related Solutions

Security – Block incoming traffic to specific computer

Your firewall/router by default will block incoming traffic and only allow traffic outbound that is initiated by the internal LAN side. Make sure the firewall is turned on, yes. Especially if this is the final route out to the internet.

So incoming connections initiated by the outside should be dropped by default but you can do a full port scan of your WAN public IP address(es) here: http://www.hackerwatch.org/probe/

That should help you gauge if anything is open or not open.

There are other steps such as ensuring your WAN IP for management purposes on your router isn't accessible (to prevent external access to it by hacking attempts), along with secure passwords instead of the defaults on it. Make sure it's on the latest firmware and ask TP Link if there's any known exploits against that router.

This isn't fullproof by any means, and you'll need to be thorough about your security if you ever change anything or do allow inbound port access for things like VPN, hosted apps (like websites/email), etc.

If you are super concerned or it is a big deal to management, consider hiring a small firm to do a penetration test and security assessment from time to time.

Finally, relax....you are probably a small shop, so don't go crazy trying to create all kinds of layers and customization. Put in place what makes you and management comfortable without being so draconian that people cannot work.

Linux – iptables – Block incoming on Eth1 and Allow All from eth0

I wanted to block all the incoming route to eth1 but only allow port 21. Just so that external IP can't access to our web server, ftp server, etc. Only allow port 21 for SSH access. Ping should work too.

The cleanest way would be to configure the web/ftp-servers to listen only on the internal interface. This way, you wouldn't have to worry about any networking related techniques at all.

If you can't do that for any reason, apply these rules:

iptables -A INPUT -i eth1 -p icmp -j ACCEPT           # allow ping
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT # allow SSH
iptables -A INPUT -i eth1 -j DROP                     # drop everything else

(SSH's default port is 22 by the way, but I think you know best where your SSH listens.)

On the local network (eth0), anyone should be able to access anything but just block local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 server.

Simple:

iptables -A INPUT -i eth0 -s 192.168.1.20 -j DROP 
iptables -A INPUT -i eth0 -s 192.168.1.30 -j DROP

That drops all packets from these hosts. If you want ping allowed here as well, use a similar rule for icmp like on eth1.

Best Answer

Related Solutions

Security – Block incoming traffic to specific computer

Linux – iptables – Block incoming on Eth1 and Allow All from eth0

Related Topic