Aug 11, 2011
tom

Enable iptables on one interface

Question

I want iptables to filter only one interface, eth0, which is facing WAN. How can this be done? And I want to keep ftp and ssh ports open on eth0.

Answer

So for all interfaces but one you want to accept all traffic, and on eth0 you want to drop all incoming traffic except ftp and ssh.

First, we could reset your firewall rules.

iptables -F

Then we could set a policy of accepting all traffic by default.

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Now we could say that we want to allow incoming traffic on eth0 that is a part of a connection we already allowed.

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Also that we want to allow incoming ssh connections on eth0.

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

But that anything else incoming on eth0 should be dropped.

iptables -A INPUT -i eth0 -j DROP

For slightly more depth see this CentOS wiki entry.

FTP is a trickier than ssh since it can use a random port, so see this previous question.

Related posts:

  1. Problem with sendmail combined with iptables
  2. Linux: routing traffic between two networks with iptables
  3. Starting point for iptables whitelist specific to the outbound chain
  4. iptables masquerading and rejecting outside-to-inside
  5. IPtables Traffic Quota – up and down

Leave a comment