# iptables filter question...

## [Lx]-=Mystify=-

hi...

i wanna do the following:

filter all incoming connections from my default gateway (even if it only routes connections to my system).

but i have to be able to connect the system to get packets into the inet (for portage updates, etc)...

i'm not quite sure who to do that...

dropping all tcp syn packets would archive this but only for TCP connections, not the ICMP & UDP packets..

any suggestions???

----------

## defenderBG

you can filter icmp and udp with iptables... but yet offcourse... don't forget to leave 127.0.0.1 (lo) unrestricted, if you want to use your computer freely...

what do you want to do... do you want do disable all udp? and what about icmp (ping and traceroute are there) it is quite... interesting running a comp with fully disabled icmp  :Smile: 

----------

## hollyo

Use iptables default policies?

```
iptables -P INPUT DROP
```

And then pass the rules to alow what you need.

----------

## [Lx]-=Mystify=-

@defenderBG:

as described above the only thing i wanna do is filter out certain traffic that comes from my default gateway... 

the reason is that my ISP (a university network) scans for host which are online and i wanna drop all traffic which is not really needed for updates (always connections that are established from my server to the inet).

one reason is that they are scanning for online hosts in our network via ARP requests and i don't want that system to be seen from their point, neither should they be able connect to any service on this machine (web, dc-server,samba,etc..)

so i was thinking about filtering out all packets which come from the MAC address of the routers (default gw) network card in our net, except those who belong to connect that i established from the server into the inet (mainly dns and http for updating the gentoo box).

@hollyo

if i just put a filter in that says drop anything that comes from the default gateway MAC then i shouldn't be able to get connections into the inet, right???

----------

## pteppic

Just using a related established rule followed by a drop all should do that.

Any incoming connection is dropped, except related or established connections, and if the only way to establish a connection is from 'the inside out', for want of a better term, then the goal is accomplished.

If you do allow 'internal' access to services, then a 'drop from gateway' before the rules allowing service access will cover that angle too.

----------

