How to DROP UNNECESSARY PORTS server.
We can drop or reject the unnecessary port by using following rules
root@svrxx [~]# iptables -I INPUT 1 –protocol tcp –destination-port 3306 -s 127.0.0.1 -j ACCEPT
root@svrxx [~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — localhost anywhere tcp dpt:mysql
**Im telling the firewall to -j ACCEPT all –protocol tcp
connections to –destination-port 3306 from the address -s 127.0.0.1.
Now, Ill insert the deny rule into position 2:
root@svrxx [~]# iptables -I INPUT 2 –protocol tcp –destination-port 3306 -j DROP
root@svrxx [~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — localhost anywhere tcp dpt:mysql
DROP tcp — anywhere anywhere tcp dpt:mysql
REJECT tcp — anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable
acctboth all — anywhere anywhere
Let me explain: rule 2
tells the firewall to -j REJECT all –protocol tcp connections to –destination-port 3306 from any address (since I omitted the address). Since rules are processed top-down (from 1 to n), the first one that matches an incoming connection is applied. If no rules match, then the default policy (which is normally ACCEPT) kicks in.
We can Repeat for every service that we want to secure.
Finally, save the rules
root@svrxx [~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]