Firewalling

WARNING WORK IN PROGRESS

As a developer, you sometimes write software to listen to ports that need a little protection. While it's no excuse to write insecure software, you can mitigate some risks with a few well-placed firewall rules using the ipchains package.

I assume the server part of your application listens to TCP connections on port 9012 and 9014. The server runs on a central box with address 192.168.0.10, which we're going to secure. I also assume that there are two developers working on the client application, so there are two addresses (192.168.0.11 and 192.168.0.12) which should be able to connect to ports 9012 and 9014.

The first rules will let those two developers connect. The last one will deny everyone else. This is on Slackware Linux 10.1:

 # iptables -A INPUT -p tcp --dport 9012,9014 -s 192.168.0.11 -j ACCEPT
 # iptables -A INPUT -p tcp --dport 9012,9014 -s 192.168.0.11 -j ACCEPT
 # iptables -A INPUT -p tcp --dport 9012,9014 -j DROP

On RedHat and derivatives, the DROP target is named REJECT.

An other option could be to accept only from the 192.168.0 network and from localhost:

 # iptables -A INPUT -p tcp -s! 192.168.0.0/24  --dport 9012,9013 -j DROP
 # iptables -A INPUT -p tcp -s 127.0.0.1  --dport 9013,9013 -j ACCEPT

After you're done, don't forget to save the commands. On RedHat and derivatives, just type

 # iptables-save

Debugging

To debug your firewall rules and see where the packets are going, the following command is very useful: (updated every 2 seconds)

 # watch iptables -nvL