Firewall Configuration in Linux in Centos 6.2

Lakshmana

@thanksajdotcom Ok I understood

Lakshmana

How to block the SSH port in the IP table.I used the following command but it does not work?
My aim is that when I try to access the machine in Putty,the Centos machine should not be taken in the Putty

/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP

thanksajdotcom

@Lakshmana said:

How to block the SSH port in the IP table.I used the following command but it does not work?
My aim is that when I try to access the machine in Putty,the Centos machine should not be taken in the Putty

/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP

I want to say this is missing something at the end but I might be wrong. IPTables isn't my specialty.

scottalanmiller

@Lakshmana said:

How to block the SSH port in the IP table.I used the following command but it does not work?
My aim is that when I try to access the machine in Putty,the Centos machine should not be taken in the Putty

/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP

You don't block port by port, you simply need to stop allowing it. You need to block everything. Show us your entire config file. IPtables can't be discussed without seeing the file you are asking about.

NetworkNerd

@scottalanmiller said:

@Lakshmana said:

How to block the SSH port in the IP table.I used the following command but it does not work?
My aim is that when I try to access the machine in Putty,the Centos machine should not be taken in the Putty

/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP

You don't block port by port, you simply need to stop allowing it. You need to block everything. Show us your entire config file. IPtables can't be discussed without seeing the file you are asking about.

And don't forget that the traffic will follow the first matching rule in iptables. If you wanted to allow SSH for only certain ips, for example, you could put ACCEPT rules above the general DROP rule for SSH in the iptables config. That way those specific ips could get in as expected, but all others get blocked.

thanksajdotcom

In firewalls, the standard format is allow whatever you want through, whether that's opening specific ports, or whatever, and then there is the good ole "deny all" rule you put at the bottom. The syntax may vary from firewall to firewall, but the principal is the same. Allow what you want, IN THE ORDER YOU WANT THE PRIORITY TO BE, like @NetworkNerd said, and then deny the rest. Once you open EXACTLY what you want open, you shut the doors to everything else. That's how firewalls work.

A Former User

@thanksajdotcom said:

In firewalls, the standard format is allow whatever you want through, whether that's opening specific ports, or whatever, and then there is the good ole "deny all" rule you put at the bottom.

This isn't necessarily true. It really depends on the case. There are many cases when you'll want some deny rules before allow. It's about planning the processing order of the rules for that specific use, especially when you get into router with lots of networks running off of it. Deny rules can be used to "filter" down allow rules that come after it.

thanksajdotcom

@thecreativeone91 said:

@thanksajdotcom said:

In firewalls, the standard format is allow whatever you want through, whether that's opening specific ports, or whatever, and then there is the good ole "deny all" rule you put at the bottom.

This isn't necessarily true. It really depends on the case. There are many cases when you'll want some deny rules before allow. It's about planning the processing order of the rules for that specific use, especially when you get into router with lots of networks running off of it. Deny rules can be used to "filter" down allow rules that come after it.

This is true. I'm not denying that. However, most people allow what they want and deny the rest. It's much rarer to deny the specific things you don't want and allow the rest. I see that more internally than a public facing firewall.

scottalanmiller

We lead with geo-specific deny rules to block regions before allowing ports.

thanksajdotcom

@scottalanmiller said:

We lead with geo-specific deny rules to block regions before allowing ports.

And in that case it makes sense. You're blocking all traffic from China or Russia, for example. Then you allow the ports you want open but those countries are blocked, and maybe every other country is fine (hopefully you haven't blocked Spain... ;)), and then you deny the rest. That also makes logistical sense. I don't disagree with @thecreativeone91. It all comes down to what your objective is and then determining the best way to approach it.