How to block all ports except 80,443 with iptables? [duplicate]

Blocking all ports(in and out) is easy but it's hard with the word "except". I don't know any rules that satisfies the condition.

PS: I know this question is nothing new. But in fact, I didn't find anything helps. So, help me pls!


First the ! is the NOT symbol.

iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,443 -j DROP

Second, the rules you wrote may not have the expected results. You drop everything including the response to the connection on port 80. Therefore, you will not be able to connect to it says for the purposes of a web server.

These rules allow RELATED and ESTABLISHED connections so a web server should function, if that is in fact what your trying to do.

iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
<insert further allowed list here>
iptables -A INPUT -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j DROP

# Set the default policy of the INPUT chain to DROP
iptables -P INPUT DROP

# Accept incomming TCP connections from eth0 on port 80 and 443
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

This should give you what you need


You can set your default action to DROP, and then create exception rules to allow 80 and 443, like so:

# Setting default policies:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Exceptions to default policy
iptables -A INPUT -p tcp --dport 80 -j ACCEPT       # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT      # HTTPS

iptables will go through the list of 'exceptions' until it finds a match. It will then perform the action specified by the -j parameter (ACCEPT in this case). If it doesn't find a match, it will fall back to the default policy and drop the packet.

Note that with this workaround any sub-domains will be locked out. For example with this method you will have it working on www.mydomain.com all right but your subdomain let's say www.sub.mydomain.com will not open for DNS errors.