I want to stop internet on my system using iptables so what should I do?
iptables -A INPUT -p tcp --sport 80 -j DROP
or
iptables -A INPUT -p tcp --dport 80 -j DROP ?
asked Sep 11, 2011 at 5:18
Add a comment
|
2 Answers
Reality is you're asking 2 different questions.
--sportis short for--source-port--dportis short for--destination-port
also the internet is not simply the HTTP protocol which is what typically runs on port 80. I Suspect you're asking how to block HTTP requests. to do this you need to block 80 on the outbound chain.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
will block all outbound HTTP requests, going to port 80, so this won't block SSL, 8080 (alt http) or any other weird ports, to do those kinds of things you need L7 filtering with a much deeper packet inspection.
answered Sep 11, 2011 at 6:29
Just to extend the answer of @xenoterracide
You can read more about iptables in the manpage iptables(8) (type man 8 iptables) but there you will not find --dport or --sport. These options are listed in iptables-extensions(8) in the section multiport, tcp, udp and elsewhere. This might be interesting to you.
To "stop the internet on your system", you can probably just turn off the network interface with sudo ifdown <INTERNET FACING INTERFACE> or sudo ip link set <INTERNET FACING INTERFACE> down for instance sudo ip link set eth0 down.
To make this permanent, you need to have a look in /etc/network/interfaces (Ubuntu, Debian...) or /etc/sysconfig/network-scripts/ifcfg- (on RHEL, SLES, CentOS, Oracle Linux, Fedora...) or your network-manager config or anything else you use. This of course will cut any connections to or from "the internet" even the not HTTP based ones and will prevent the slight performance hit of using iptables and processing OSI/ISO layer 2 traffic.
