Tech Journal Back to Tech Journal

Using IPChains or IPTables to block access from the Internet

All Internet connections over TCP have to send a "connection-initiation" packet, called an SYN packet. If you block all packets of that type from coming in through the device you have connected to the Internet (usually ppp0), then only outbound traffic will go through. All the replies from the servers you connect to will work, as long as they use the same connection as the one you used to request the data (this precludes non passive FTP, and some other protocols).

One great advantage to this is that anyone connecting to your computer at the port blocked like that, will have to wait the entire timeout period until he finds out that there isn't going to be a reply. You computer has essentially become a black-hole. Requests come in, but nothing, not even a "connection-refused", goes out.

For instance, you may wish to stop all access to the FTP port (port 21). To do this, simply run:

# for 2.2.x kernels
$ /sbin/ipchains -I input 1 -i ppp+ -p TCP -y -s 0/0 -d 0/0 ftp -j DENY
# for 2.4.x kernels
$ /sbin/iptables -A INPUT -i ppp+ -p tcp --syn --destination-port ftp -j DROP

Where:

ppp+ is the device-file you want to filter. This may be "ppp0" to block only ppp0 or "ppp+" to block all ppp* devices.
-s 0/0is the source of the packet. This may be "0/0" to block packet coming from *anywhere*, or a specific address/mask, like 192.168.1.0/24.
-d 0/0is the destination of the packet. see source, above.
ftp is the destination port of the packet. This may be a name, like www, or a number, like 80.

Please read the ipchains or the iptables documentation before you start messing around! The above is just a reminder or a teaser -- depends on how you look at it.

Last updated on 2000-11-14 14:00:00 -0800, by Shalom Craimer

Back to Tech Journal