How to exclude a port from a Linux firewall

Q I received this answer from my friend to a question I asked. "Have you set up an appropriate Iptables rule? You need something like

iptables -A INPUT -i eth0 -p tcp --syn -m state -- state NEW -j NFQUEUE

If the box is a remote system, you should exclude the SSH port or whatever you use to connect to it." I don't get how to "exclude an SSH port" and I, can't ask him again, so I would appreciate any help you can give.

A Without knowing the question you asked your friend, this is difficult to answer with any degree of precision, so here is a more general response on the use of Iptables. The Linux Netfilter software that provides firewalling is built into the kernel, and Iptables is the user program that sets up the firewall rules for it - the one you have given here filters incoming packets on eth0 that are requesting a new TCP connection (--syn). Iptables is very powerful, but also very low-level. This means you can give the firewall specific instructions and it will do exactly what you tell it to, irrespective of whether that was really what you wanted it to do.

As a result, using Iptables without some detailed knowledge of it is quite dangerous. You could lock yourself out of a computer, or you could set up rules that you believe protect the system when they actually let all manner of potentially dangerous traffic through. To set up Iptables safely, you need one of two things. Either a good book or tutorial on the subject and the time to read and understand it, or a graphical front-end. There are a number of good front-ends available, which all perform basically the same function - provide an easy interface to tell the software what you want to filter, then generate the Iptables rules.

The available packages include Firewall Builder (, Guarddog ( and Shoreline Firewall ( The first is a GTK program that fits in well with a Gnome or Xfce desktop, while Guarddog is a KDE program. They offer similar features, but with a different approach. Shoreline Firewall is a script-based program that is harder to set up the first time, but provides more flexibility. Any of these are capable of protecting your system, so try them and see which you like best. The comment about the SSH port is because the rule you were given blocks all TCP traffic originating from outside. This is fine if you are not running any sort of server, but if this is a machine you access remotely via SSH, you would also lock yourself out.

The advice is to add a rule that allows SSH traffic - that is, traffic to port 22, the SSH port - to pass, so that you can still connect remotely. This is easily done by setting an option on any of the programs mentioned previously. Of course, if this computer is not a remote server, this advice is irrelevant. If you are dealing with a remote machine, running a GUI program may not be possible. However, these programs all generate standard Iptables rule sets, so you can run them on a local box, test the rules to ensure they do what you need, then transfer the rules to the remote computer.

Follow us on or Twitter

Username:   Password: