Well let’s get a bit more advanced. We know that these packets use a certain protocol, and if that protocol is TCP, then it also uses a certain port. Now you might be compelled to just close all ports to incoming traffic, but remember, after your computer talks to another computer, that computer must talk back. If you close all of your incoming ports, you’ll essentially render your connection useless. And for most non-service programs, you can’t predict which port they’re going to be communicating on. But there’s still a way. Whenever two computers are talking over a TCP connection, that connection must first be initialized. This is the job of a SYN packet. A SYN packet simply tells the other computer that it’s ready to talk. Now only the computer requesting the service sends a SYN packet. So if you only block incoming SYN packets, it stops other computers from opening services on your computer but doesn’t stop you from communicating with them. It roughly makes your computer ignore anything that it didn’t speak to first. It’s mean but it gets the job done. Well the option for this is –syn after you’ve specified the TCP protocol. So to make a rule that would block all incoming connections on only the internet:
iptables -A INPUT -i ppp0 -p tcp –syn -j DROP
That’s a likely rule that you’ll be using unless you have a web service running. If you want to leave one port open, for example 80 (HTTP), there’s a simple way to do this too. As with many programming languages, an exclamation mark means not. For instance, if you wanted to block all SYN packets on all ports except 80, I believe it would look something like this:
iptables -A INPUT -i ppp0 -p tcp –syn –destination-port ! 80 -j DROP
It’s somewhat complicated but it’s not so hard to comprehend. There’s one last thing I’d like to cover and that’s changing the policy for a chain. The chains INPUT and OUTPUT are usually set to ACCEPT by default and FORWARD is set to DENY. Well if you want to use this computer as a router, you would probably want to set the FORWARD policy to ACCEPT. How do we do this you ask? Well it’s really very simple. All you have to do is use the -P option. Just follow it by the chain name and the new policy and you have it made. To change the FORWARD chain to an ACCEPT policy, we’d do this: iptables -P FORWARD ACCEPT
Nothing to it, huh? This is really just the basics of iptables. It should help you set up a limited firewall but there’s still a lot more that I couldn’t talk about. You can look at the man page “man iptables” to learn more of the options (or refresh your memory when you forget). You can find more advanced documents if you want to learn some of the more advanced features of iptables. At the time of this writing, iptables documents are somewhat rare because the technology is new but they should be springing up soon. Good luck.
Helpful Links:
Introducing Netfilter (iptables)
https://www.linuxsecurity.com/docs/colsfaq.html
