How to block udp ports range in linux RHEL7 - linux

need to test an application which uses the UDP port range from 5000 to 60,000 in. i want to test the boundary value condition for ports. so i want to block UDP ports range from 5000 to 59999.

Using iptables:
iptables -A INPUT -p udp --dport 5000:59999 -j DROP
or, better,
iptables -A INPUT -p udp --dport 5000:59999 -j REJECT --reject-with icmp-port-unreachable

Related

linux firewall rule - iptables –A INPUT rule that will accept any packet that comes in over ports 43,53 or 67

I need an linux firewall rule that will accomplish the following: iptables –A INPUT rule that will accept any packet that comes in over ports 43,53 or 67.
I am new to this. Do you have to have -p "protocol" before --dport 43,53,67 or can you take out the -p "protocol" and just have the --dport 43,53,67. How would you have accept any packet that could come over multiple protocols?
You have to use it for all protocols you want to allow
iptables -A INPUT -p tcp -m multiport --dports 43,53,67 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 43,53,67 -j ACCEPT
--dport is not a flag for general iptables rules. It's a flag for one of it's extended packet matching modules. These are loaded when you use -p protocol or -m. Unless you specify -m <protocol> or -p <protocol> with a specific protocol you can't use --dport

Can't Access Port number 80 and 443 after adding Iptables rules

In my CentOS 6 i added a IPtables rules like DROP all the policy like
iptables -P INPUT DROP
Then I allow Port NO 22,80,443 with this command,
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.
Ofcourse you cannot access the Internet. You just added a rule that drops all incoming traffic (except for traffic coming in to ports 22, 80 and 443).
When you try to access the internet (if you're using a browser), your machine establishes a connection from
<local IP>:<port1> <----> <remote IP>:80
When the remote server responds to you, it will respond back to the same port1 that you sent the request from (which will NOT be 22, or 80, or 443. It will be a number usually higher than 32768), so it will get dropped by iptables.
Try these rules instead:
iptables -P INPUT DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
The second rule tells IP tables to ACCEPT traffic that is coming to us, if it's coming to a port that we used to send outgoing traffic. This will allow you to see the response from the server, which you were dropping.
However, there's still a problem with DNS traffic, since it uses UDP not TCP. You can work around that by changing the first rule to:
iptables -P INPUT -p tcp DROP
so it only drops TCP traffic but not UDP traffic. There may be other ways to work around the DNS problem, depending on what exactly you want to do.
So your final ruleset should look like this:
iptables -P INPUT -p tcp DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

iptables allow request started by server

As you can image, we need iptables to block the ports we do not need to protect server.
But I need to request some third party resource, and I got confuse on how to do it.
Here are my iptables rules
iptables -F
iptables -A INPUT -p UDP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 110.75.147.65/32 -j ACCEPT
iptables -A INPUT -s localhost -j ACCEPT
iptables -A INPUT -j DROP
And 110.75.147.65/32 is the one of third party servers' IP, I wonder if there are any way to allow all connection started by my server such as curl https://www.google.com/, otherwise I need to add all my third party servers' IP to the iptables rules.
How about
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow ssh incoming/outgoing and blocking all outgoing besides specific ports

I am trying to create iptable rules that will allow incoming and outgoing ssh connections, and then allow outbound connections to specific ports, then finally drop anything that doesnt match.
These are the rules I have come up with, the SSH rules work, but when I tunnel into the box I cant seem to access http (port 80) even though i've allowed it. Can anyone spot the mistake?
#!/bin/bash
#clear iptables
iptables -F
iptables -X
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT
#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow input on port 22, (established connections auto accepted)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
#...
#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
Thanks for your time.
You might want to add the DNS ports, otherwise you may not be able to resolve any hostnames.
Allowing OUTPUT for TCP and UDP Port 53 should help.
You need to open port 80 for input and output with a rule like this:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

Iptables - how to allow connection to port 27015 from only *:27005

I have an application listening at port 27015. I want to allow all ips with client port 27005 and drop the rest. How do I go about this ?
This page shows some good examples of iptables.
http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html
So, something like this should do it:
iptables -A INPUT -p tcp --sport 27005 --dport 27015 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
Little late but here is what I would do
iptables -A INPUT -p tcp --dport 27005 -j ACCEPT
iptables -A INPUT -j DROP
service iptables save
service iptables restart

Resources