Al Salamo 3alikom,

How do i close the ports 80, 111, 139, 443, 1024, 6000 and thanks alot

Why would you want to close port 80?
Its the http port.
try http://www.linux-egypt.com:80 and see were you go. Nearly all web servers are configured on port 80.
now try http://www.linux-egypt.com:111 and see what you get!

OKay i know that port 80 for http but i want to know how to close it in addition to the mentioned ports.

To allow no one from the localhost to access the port:

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --sport 80 -j DROP

to allow no one from outside to access the port:

iptables -A OUTPUT -p tcp --sport 80 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP


When writing your IPtables rules you have 2 ways:
either enable anything and disable specific ports you want.
Or
Disable all, And open ports for required services "that's what i do"

i am sorry uniball but what is iptables?

If you have a process running unnecessarily which opens a port, blocking it from iptables is the wrong approach.

This is like, you want to disable telnet from inetd.conf, so instead of commenting it out from inetd.conf, you comment out the "telnet" port in /etc/services. It will do the job, but is the wrong approach.

Here is the correct approach:

1) Find the culprit process, in this case, its probably httpd, but you never know. Lets assume we want port 6000:

angoranimi#grep 6000\/tcp /etc/services
x11 6000/tcp #6000-6063 are assigned to X Window System

(soo.. they call it x11, lets see what process is bound to that)

angoranimi#lsof -i | grep x11
XFree86 183 root 1u IPv4 0xcc50c080 0t0 TCP *:x11 (LISTEN)

2) Determine if the process has to be running:
a) if it has to be, use the iptables approach.
b) if it doesn't have to be, kill it.


Chances are, you don't need a webserver running on your computer. Kill this instance and banish it from startup scripts.

Originally posted by uniball
To allow no one from the localhost to access the port:

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --sport 80 -j DROP

to allow no one from outside to access the port:

iptables -A OUTPUT -p tcp --sport 80 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP


When writing your IPtables rules you have 2 ways:
either enable anything and disable specific ports you want.
Or
Disable all, And open ports for required services "that's what i do"

Not quite, close though. Your first couple of rules would block off any kind of client http access, nohing to do with localhost.

Your second one would disallow your machine from serving http requests.

I think what you mean is:



# define interfaces
EX_IF="ppp+"
LO_IF="lo"

# Now allow any loopback traffic at the top of the ruleset to keep things simple and reduce overhead
iptables -A INPUT -i $LO_IF -j ACCEPT
iptables -A OUTPUT -i $LO_IF -j ACCEPT

# and then block off unwanted non-local traffic
iptables -A INPUT -i $EX_IF -p tcp --dport 80 -j DROP
iptables -A OUTPUT -i $EX_IF -p tcp --sport 80 -j DROP


At least that's the obvious thing to do.

And angoranimi's right. The proper procedure is to find out what's sitting on that port, figure out if you need it, stop the service, and optimally, remove the program to begin with.

This is all covered very well and extensively in the Security-HOWTO. Go read.

:-)

He asked: How do i close.... Do i closed them for him ;-)
Sure the better thing is to stop the services you don't want, But sometimes you
have to use iptables
I'm running apache on my box, And it's behind the firewall, I have to run it
but i've any access except from the localhost

Here's some of my IPtables rules:

# loopback interface
#-------------------
# Allow all communications.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

O course, I forgot that it's -o for outgoing, not -i. That is very counterintuitive, now that I think of it... Maybe that justifies a feature request from Russell...