How to Configure iptables to Filter Only eth0 (WAN Interface) While Allowing FTP and SSH Traffic


2 views

When setting up a Linux firewall, you might want iptables to specifically filter traffic on your WAN-facing interface (typically eth0) while maintaining essential services like FTP (port 21) and SSH (port 22). This targeted approach enhances security without disrupting critical remote access.

Here's how to create rules that only affect eth0:

# Clear existing rules
iptables -F
iptables -X

# Set default policies (DROP all incoming on eth0)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT

Now we'll add rules that specifically target eth0:

# Allow SSH on eth0
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Allow FTP on eth0 (including passive mode)
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 1024:65535 -j ACCEPT  # For passive FTP

To prevent brute force attacks while keeping services available:

# Rate limit SSH connections
iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Make your rules persistent across reboots:

# For Debian/Ubuntu:
iptables-save > /etc/iptables.rules
echo "pre-up iptables-restore < /etc/iptables.rules" >> /etc/network/interfaces

# For RHEL/CentOS:
service iptables save
chkconfig iptables on

Check your rules with:

iptables -L -n -v

Look for the specific rules under the INPUT chain that mention eth0.

When dealing with network security, it's common to apply firewall rules only to specific interfaces. In this case, we want to restrict iptables filtering to eth0 (WAN-facing interface) while maintaining FTP (port 21) and SSH (port 22) accessibility.

Here's how to configure iptables to only filter traffic on eth0:


# Flush existing rules
iptables -F

# Set default policies (DROP all incoming on eth0)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Interface-specific rules for eth0
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT   # SSH
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT   # FTP
iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT   # FTP data

For more granular control, consider these additions:


# Allow loopback traffic on all interfaces
iptables -A INPUT -i lo -j ACCEPT

# Rate limiting for SSH (helps prevent brute force attacks)
iptables -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH --set
iptables -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH --rcheck --seconds 60 --hitcount 4 -j DROP

# Passive FTP ports range (adjust as needed)
iptables -A INPUT -i eth0 -p tcp --dport 49152:65534 -j ACCEPT

To save your rules and make them persistent across reboots:


# For Debian/Ubuntu:
apt-get install iptables-persistent
netfilter-persistent save

# For RHEL/CentOS:
service iptables save

Always verify your rules:


iptables -L -v -n

Check specifically for eth0 rules:


iptables -L -v -n | grep eth0

Remember these important considerations:

  • FTP requires both port 21 (control) and port 20 (data) or passive ports
  • SSH might need additional rules if using port forwarding
  • Always test rules before applying them to production systems
  • Consider using fail2ban for additional SSH protection