iptables to block all but one port on PPP0

Question

I have 2 dsl accounts. One is general use which is setup on my router and the second is setup on a server. My router is secured nicely, but I noticed after setting up PPPoe on my server that the router security is completely bypassed and all ports on my server are essentially open to the world.

So I tried this do block all connections on PPP

iptables -A INPUT -i ppp0 -p tcp -j DROP
iptables -I INPUT -i ppp0 -p tcp --dport 563 -j ACCEPT

But now I cannot connect to or from port 563.

I suspect that I am fundamentally misunderstanding how iptables work.

score 1 · Answer 1 · answered Feb 06 '14 at 18:27

1

Order matters! You're not going down the wrong route, but you need to change the order. Put the ACCEPT first, then the REJECT, and you'll be fine.

answered Feb 06 '14 at 18:27

Bill Weiss

10,979
3
38
66

The -I on the ACCEPT commend will insert it into the beginning of the chain and as such put it before the DROP. – user9517 Feb 06 '14 at 19:04
You're right. In the original (poorly formatted) one I didn't see the -I. Ignore me! – Bill Weiss Feb 06 '14 at 19:24

score 1 · Answer 2 · answered Feb 06 '14 at 18:29

You need to set a few default rules, and then a policy for the rest. This is a nice starting point:

iptables -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT --match comment --comment "Accept traffic from outgoing connections and stuff like FTP."
iptables -A INPUT -p icmp -j ACCEPT --match comment --comment "Allow ping"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT --match comment --comment "Allow SSH"
iptables -A INPUT --in-interface lo -j ACCEPT --match comment --comment "Allow everything on the localhost"
iptables -P INPUT DROP

Then you can add your rule:

iptables -A INPUT -i ppp0 -p tcp --dport 563 -j ACCEPT

iptables to block all but one port on PPP0

2 Answers2