How to Block all Ports in IPtables

June 26, 2024 / How-to Guide

This guide helps you secure your server by blocking all ports except those you explicitly allow, reducing potential attack vectors.

Follow the steps:

  1. Remove Current Rules:
    1. Connect to your server as root.
    2. Run these commands to delete existing rules: 
      iptables -t filter -F
iptables -t filter -X
  2. Block All Traffic:
    1. Run these commands to block all incoming, forwarding, and outgoing traffic: 
      iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
  3. Allow Established Connections:
    1. To keep existing connections working, run: 
      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  4. Allow Loopback Connections:
    1. For internal server processes, allow loopback connections: 
      iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
  5. Allow Specific Ports:
    1. For example, to allow HTTP traffic (port 80), run: 
      iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    2. To allow SSH traffic (port 22), run: 
      iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
    3. To allow SSH traffic from a specific IP, run: 
      iptables -I INPUT -p tcp -m tcp -s 101.69.69.101 --dport 22 -j ACCEPT
iptables -I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 22 -j DROP
  6. Allow Port Range:
    1. To allow a range of ports (e.g., 1024 to 2000), run: 
      iptables -t filter -A OUTPUT -p tcp --dport 1024:2000 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 1024:2000 -j ACCEPT
  7. Block All UDP Except DNS (Port 53):
    1. Allow DNS requests: 
      iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    2. Block all other UDP traffic: 
      iptables -A OUTPUT -p udp -j DROP
ip6tables -A OUTPUT -p udp -j DROP
  8. Allow Specific DNS Servers:
    1. To allow requests to specific DNS servers: 
      iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -d 8.8.4.4 -j ACCEPT
  9. Disable Ping Requests:
    1. To disable outgoing ping requests: 
      iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
    2. To disable incoming ping requests: 
      iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
  10. Save and Restart:
    1. Save your iptables configuration: 
      iptables-save > /etc/sysconfig/iptables
    2. Restart the iptables service: 
      service iptables restart

In this manner, you can secure your server by blocking all ports to reduce possible attacks. Hope you grasped everything well. Check out our latest web hosting plans.

Need to block specific IP addresses or domains? Check out our guide on How to Block an IP address or a Domain Name Using cPanel.

Spread the love
Tagged:

Related Articles

How to Import Prevailing WordPress Installation into SoftaculousJune 28, 2024
How to Connect with RDP via DesktopJune 25, 2024
How to Set up RDP Port on WindowsJune 12, 2024
How to Login Windows Server via RDPJune 11, 2024