# Need help with iptable rules

## farmer.ro

At the moment i have iptables:

Chain input accept

Chain forward accept

Chain output accept

I am used to ufw and unkown with iptables how do i:

BLOCK ALL IN AND OUT traffic + only allow: port 443tcp/udp + 53tcp/udp + 80/tcp + 8080/tcp + 873/tcp

----------

## Zucca

I've always thought iptables is a mess and I still do. But I think it's important to learn it to be able to configure firewall in any linux.

So... I think you need to create one long rule... With multiport module maybe.

```
/sbin/iptables -A INPUT -m state --state NEW -p tcp !--dport 80 -j DROP
```

... would drop all outcomming connections that aren't going to tcp port 80. I have something along the line of that on my server which is now disconnected and powered off since I'm doing some service on the rack cabinet. Therefore I cannot check the exact lines.

```
--destination-ports port[,port[,port...]]

              Match if the destination port is one of the  given  ports.   The

              flag --dports is a convenient alias for this option.
```

... to get you started. Remember to use "!" to drop all BUT the connectios going out to the listed ports.

I hope this helps.

----------

## farmer.ro

Thank you for the post, but i just finished creating ip tables rules

On ufw it is possible to block IN and OUT and allow for example only port 53 OUT, and leave 53 IN blocked

Strange that on iptables i just tested it seems you need both 53 IN + OUT

Also what is the FORWARD chain used for i have no idea

----------

## charles17

Have you seen that sample script in the wiki?

It first flushes (-F), deletes (-X) and zeroes (-Z) the chains, then pots policies (DROP or ACCEPT) on them. Then comes what you explicitely allow.

Regarding the FORWARD chain, you only need it for servers, not for clients.

----------

## Hu

ufw is a frontend to manage the kernel's netfilter rules.  It can only do things that the kernel supports.  iptables is a tool to directly manage the rules in the kernel.  Anything you can do in ufw can, with the right iptables rule, be done using only iptables.  Zucca's advice, though well intentioned, will not scale correctly.  Rules are first-match-wins, so if you write a rule to DROP all non-80 traffic, then a rule to DROP all non-53 traffic, then you are dropping all traffic because all 80 traffic is non-53 traffic.

The correct approach is the one hinted at by charles17.  Use a policy of DROP and whitelist the specific ports and interfaces you want to allow.  Note that the wiki script he pointed you to is a dangerous idea.  It updates the rules in a non-atomic manner.  Despite this, you will frequently find people telling you to use a script that performs non-atomic updates because it works fine, until it blows up in your face.  :Smile:   On the positive side, the Wiki page he cites does hint that you should use the initscript to save/restore the rules, which is better advice than I usually see from people who advocate using a bash script to load rules.  If you are in a hurry, use such a script to load the rules once, then proofread and do appropriate testing on the loaded rules.  When you are happy, save the rules using the initscript and rely on it to load them on next boot, not the bash script.

----------

