====== IP-tables drop exceptions   ======



Consider an example where your mail server is listening on TCP port 25 (SMTP service). No need to block UDP because no daemon is listening on it. More practical is to probably allow certain hosts/networks/connection states then block any others that don't fit that criteria. So for example if I only want host 10.0.0.1 and  84.42.42.42 to connect to my mail server I can allow that exception and block eveything else, two basic iptables rules can be appended on the INPUT chain assuming there are no previous entries in the INPUT chain that allow unrestricted access to port 25.

<code bash>
iptables -A INPUT -p TCP -s 10.0.0.1 --dport 25 - j ACCEPT
iptables -A INPUT -p TCP -s 84.42.42.42 --dport 25 - j ACCEPT
iptables -A INPUT -p TCP --dport 25 -j DROP
</code>

To see what daemons are listening on various ports

<code bash>
netstat -lputn
</code>

To view existing Iptables entries

<code bash>
iptables -L -n
</code>