Blocking All ports except for port 80 and 443

Latest response

Hi All,

I would like to block all ports for in-going and outgoing traffic.
Using Iptables.

However I would like to keep port 80 and 443 open.

I used the following commands:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -FORWARD DROP

And thus I sucssfully closed all traffic, following those commands i tried using the following commands in order to open port 80 for example:

Iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

I have done the same for port 443, however I am unable to open HTTP and HTTPS pages.

Kindly advice,
Any assistance will be appreciated.

Regards,
Ofir

OS
Log in to join the conversation

Responses

Christian Labisch's picture Guru 9710 points
20 August 2018 5:50 PM

Hi Ofir, please try out if the following options/rules let you open the HTTP/HTTPS websites :

-A INPUT -i <network-interface-name> -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i <network-interface-name> -p tcp -m tcp --dport 443 -j ACCEPT

Regards,
Christian

SM Guru 3731 points
20 August 2018 6:45 PM

Hi Ofir,

The iptables/firewall rule file gets parsed from top-down , so if you've added all drop/reject in the beginning then it would not go down further the rules table, and all incoming or outgoing packets gets dropped as you defined. If this is the case then you would need to re-define your rules, first add all required ports to be allowed such as http/https and then add the reject/drop rule at the end.

You may add an additional entry in rules file to see which are being dropped/rejected and this entry should be before your drop/reject entry in rules file.

All the best!

Thomas Jones's picture Guru Community Member 3711 points
23 August 2018 3:31 AM

-P sets the default action for a given chain. Such rules don't really exist in the chain - they're simply the last rule applied to packets that aren't otherwise handled in the chain (rules added or inserted via -A or -I, respectively).

SM Guru 3731 points
23 August 2018 7:04 AM

I agree Thomas. I always add allow rules first and then finally the drop/reject rules at end so that if none of the accept rules matches then those would get dropped off.

Thomas Jones's picture Guru Community Member 3711 points
23 August 2018 12:50 PM

Right, but, if you did as the OP did — use the chain-policy option to set a default of DROP, you don't really have to add any drop/reject rules anywhere else. Only reason for adding explicit reject rules to a default-DROP chain would be that you want to set up a customize reject method (say, one that looks for too many connections to the SSH service from the same IP in too short an interval and temporarily blackholes the source).

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.