using iptable to drop port - hangs before dropping
I am using ubuntu 10.04. I am running a service on port 8001, and I would like to drop all connections on that port (tcp, udp, etc) that do not come from the localhost.
Here is my current iptable to drop tcp:
iptables -A INPUT -j DROP -p tcp –destination-port 8001 -i eth0
In some sense this kind of works because when I run this, the service is not accessible outside of the localhost. However, by adding this iptables rule, when an outside connection is made to that port, the connection hangs for quite a while before dropping the connection. It hangs even if I do not run a service on that port.
For example even when I do not run a service, if I telent to port 8001 from the outside it hangs before dropping the connection. But if I telnet to another port, say 8002, it immediately rejects the connection. So, I presume it is something with how my iptable is setup that causes the hang.
Also, how do I change it to drop all protocols, not just tcp. I thought I could just change it to:
iptables -A INPUT -j DROP -p all --destination-port 8001 -i eth0
But that gives an error : iptables v1.4.4: unknown option `--destination-port'
Thanks for any help.
-Adam
8 Replies
Also, you're doing it wrong. You should drop or reject by default, and only allow services that require outside connection. You can do that with a policy setting (-P), I prefer that, but you'll lock yourself out of the ssh if you're not careful.
Otherwise do (in this order, for INPUT chain on eth0):
allow all established, related
allow ports x,y,z
drop or reject whatever remains
Do you have any thoughts on how to drop all protocals, not just tcp (without creating a new rule for each protocal). If I do the following it gives me an error that –destination-port is an unknown option.
iptables -A INPUT -j DROP -p all --destination-port 8001 -i eth0
Even if I leave out the -p option (which I thought would default to "all"), then it also gives me the above error? Any thoughts?
-Adam
Hence the right way is to block everything by default and allow only specific services, because you'll never have a service listen to both udp and tcp on the same port.
BTW, keep in mind that if you use -P INPUT REJECT (or DROP), it applies to all interfaces. Loopback is an interface too ("lo"), so you'll need to
iptables -A INPUT -i lo -j ACCEPT
@Azathoth:
… you'll never have a service listen to both udp and tcp on the same port.
DNS. Though most people don't need to run DNS servers, and I can't think of any other examples.
@mnordhoff:
DNS. Though most people don't need to run DNS servers, and I can't think of any other examples.
Right. I stand corrected.
@dcraig:
You've gone a different route, but to answer your original question, you could have added "–reject-with icmp-port-unreachable" to your iptables rule.
Which is equivalent to "-j REJECT", no?