لطفا منتظر باشید ...
Recipe 2.4 Blocking Incoming Traffic
2.4.1 Problem
You want to block all incoming
network traffic, except from your system itself. Do not affect
outgoing traffic.
2.4.2 Solution
For
iptables:
# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT
For
ipchains:
# ipchains -F input
# ipchains -A input -i lo -j ACCEPT
# ipchains -A input -p tcp --syn -j REJECT
# ipchains -A input -p udp --dport 0:1023 -j REJECT
2.4.3 Discussion
The iptables recipe takes advantage of
statefulness, permitting incoming packets only if they are part of
established outgoing connections. All other incoming packets are
rejected.The ipchains recipe accepts all packets from
yourself. The source can be either your actual IP address or the
loopback address, 127.0.0.1; in either case, the traffic is delivered
via the loopback interface, lo. We then reject
TCP
packets that initiate connections (syn) and
all UDP packets on privileged
ports. This recipe has a disadvantage, however, which is that you
have to list the UDP port numbers. If you run other UDP services on
nonprivileged ports (1024 and up), you'll have to
modify the port list. But even so there's a catch:
some outgoing services allocate a randomly numbered, nonprivileged
port for return packets, and you don't want to block
it.Don't simply drop all input packets, e.g.:
# ipchains -F input
# ipchains -A input -j REJECT
as this will block responses returning from your legitimate outgoing
connections.iptables also supports the
syn flag to process TCP packets:
# iptables -A INPUT -p tcp --syn -j REJECT
As with ipchains, this rule blocks TCP/IP packets
used to initiate connections. They have their SYN bit set but the ACK
and FIN bits unset.If you block all incoming traffic, you will block
ICMP messages required by Internet
standards (RFCs); see http://rfc.net/rfc792l and http://www.cymru.com/Documents/icmp-messagesl.
2.4.4 See Also
iptables(8), ipchains(8).
