7

Saying I have a linux server as a router from LAN to WAN. I don't want any incoming WAN request for safety issue. So how should I block all the incoming request through the WAN interface, but doesn't limit the LAN users' normal internet activity?

Which application should I use? (iptables?). Which service will be interrupted if I shut up all incoming traffic?

steveyang
  • 673
  • 4
  • 10
  • 16

2 Answers2

13

If you really want to block all incoming traffic from the WAN (or Internet), you can simply add a rule like the the following:

$ iptables -A INPUT -i eth0 -j DROP

assuming eth0 is the WAN interface. This is enough to block all incoming traffic. However, you need to allow all related/established connections to be able to request some service from the WAN/Internet. So, you need a rule like:

$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Of course the ACCEPT rule should be added before the DROP rule. Doing so will prevent you from hosting any service within your network.

Dan Lenski
  • 357
  • 2
  • 12
Khaled
  • 36,533
  • 8
  • 72
  • 99
  • What do you mean by the last sentence "Doing so will you prevent you from hosting any service within your network"? What if I do want to provide service for my LAN user? – steveyang Apr 03 '12 at 13:30
  • I think what Khaled meant was that your server won't be able to proivde any services to the outside like FTP, HTTP, etc. – Chad Harrison Apr 03 '12 at 13:31
  • @hydroparadise: yes, that's right. Any connection from outside will be blocked. – Khaled Apr 03 '12 at 13:32
  • This is incorrect and [Kranthi Guttikonda's answer](http://serverfault.com/a/775125/322144) is right. You need to add the `DROP` rule on the `INPUT` chain, not the `FORWARD` chain. – Dan Lenski May 30 '16 at 01:12
2
iptables -A FORWARD -i eth0 -j DROP

Will not block incoming traffic. You should add rule on INPUT chain, e.g.:

iptables -A INPUT -i eth0 -j DROP
Castaglia
  • 3,349
  • 3
  • 21
  • 42
kranthi guttikonda
  • 121
  • 1