All Internet connections over TCP have to send a "connection-initiation" packet, called an SYN packet. If you block all packets of that type from coming in through the device you have connected to the Internet (usually ppp0), then only outbound traffic will go through. All the replies from the servers you connect to will work, as long as they use the same connection as the one you used to request the data (this precludes non passive FTP, and some other protocols).
One great advantage to this is that anyone connecting to your computer at the port blocked like that, will have to wait the entire timeout period until he finds out that there isn't going to be a reply. You computer has essentially become a black-hole. Requests come in, but nothing, not even a "connection-refused", goes out.
For instance, you may wish to stop all access to the FTP port (port 21). To do this, simply run:
# for 2.2.x kernels $ /sbin/ipchains -I input 1 -i ppp+ -p TCP -y -s 0/0 -d 0/0 ftp -j DENY # for 2.4.x kernels $ /sbin/iptables -A INPUT -i ppp+ -p tcp --syn --destination-port ftp -j DROP
Where:
ppp+ | is the device-file you want to filter.
This may be "ppp0" to block only ppp0 or "ppp+" to block all ppp* devices. |
-s 0/0 | is the source of the packet. This may be "0/0" to block packet coming from *anywhere*,
or a specific address/mask, like 192.168.1.0/24 . |
-d 0/0 | is the destination of the packet. see source, above. |
ftp | is the destination port of the packet. This may be a name, like www , or a number, like 80 . |
Please read the ipchains
or the iptables
documentation before you start messing around! The above is just a reminder
or a teaser -- depends on how you look at it.
Back to Tech Journal