0

I am trying to configure IPTables to accept http connection from 10.0.0.1 only and reject everything else. When I make http connection from 10.0.0.1, it is blocked. I am facing another issue. I am trying to allow DNS in outgoing direction and block everything else. The problem is when I use OUTPUT DROP everything is dropped

Here is what I did

iptables -A INPUT -p tcp -s 10.0.0.1 --dport 80 -j ACCEPT
iptables -A INPUT DROP
iptables -A OUTPUT -p udp -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -P OUTPUT DROP
Improve this question
3
  • What did/did-not work? Commented Feb 2, 2020 at 16:16
  • @ctrl-alt-delor When I make http connection from 10.0.0.1, it is blocked Commented Feb 2, 2020 at 19:10
  • I thought that is what you wanted. Please edit question to make it clearer. Commented Feb 4, 2020 at 21:11

2 Answers 2

Reset to default
0

You seemed to have blocked output as well (remove the last two lines). The source port will not be 80. You should have configured --dport 80.

Consider also using ufw or gufw(a graphical front end to ufw). As these can do this for you, and are much easier to use.

Improve this answer
0

With iptables rules, the order matters. If 10.0.0.1 is the client connecting to an HTTP server, what you need is --dport (destination port), not source port. So:

iptables -A INPUT -p tcp -s 10.0.0.1 --dport 80 -j ACCEPT
iptables -P INPUT DROP

The second rule means: drop everything else.

Improve this answer
6
  • While order does matter. What has this to do with the rest of your answer. There was nothing wrong with the order, and you have not changed it. Did you mean direction? Commented Feb 2, 2020 at 16:21
  • @ctrl-alt-delor He meant direction and OUTPUT DROP blocks everything, even in inbound direction Commented Feb 2, 2020 at 20:38
  • @Anonymous I am facing another issue. I am trying to allow DNS in outgoing direction and block everything else. The problem is when I use OUTPUT DROP everything is dropped Commented Feb 2, 2020 at 20:59
  • To allow incoming DNS, something like this: iptables -A INPUT --sport 53 -m state --state ESTABLISHED -j ACCEPT. Note that I deliberately omitted -p UDP in the rule, because some DNS traffic may require TCP (for example zone transfers). iptables -P INPUT DROP should be the last rule since it blocks anything else that is not explicitly authorized. If you decide to also restrict outgoing traffic you would need something like: iptables -A OUTPUT --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT Commented Feb 2, 2020 at 21:18
  • @Anonymous but I need to block everything in outgoing direction except for DNS Commented Feb 3, 2020 at 7:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.