This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: psyche-list@listman.redhat.com From: Iain Buchanan <iain@pcorp.com.au> Subject: Re: IPTABLES question Date: 25 Feb 2003 09:07:30 +0930 --=-qYOpQSL9EkQxbqZCnj23 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2003-02-25 at 03:19, Leonard Miller wrote: > How do I allow incoming http port 80 from only one machine and > deny all others? Is it easy to turn off when testing is finished? To make it more permanent, put in /etc/sysconfig/iptables something like this (note the default policy is drop, and packets are logged so you can see who's being bounced). To start it (if you're not already using iptables) service iptables start when you're done, run service iptables stop and to make it permanent use redhat-config-services # /etc/sysconfig/iptables *filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -s <ip_address> -j ACCEPT -A INPUT -j LOG --log-prefix "Input DROP: " COMMIT *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed === To: psyche-list@listman.redhat.com From: Michael Schwendt <ms0301rh@arcor.de> Subject: Re: IPTABLES question Date: Tue, 25 Feb 2003 10:54:24 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25 Feb 2003 09:07:30 +0930, Iain Buchanan wrote: > On Tue, 2003-02-25 at 03:19, Leonard Miller wrote: > > How do I allow incoming http port 80 from only one machine and > > deny all others? Is it easy to turn off when testing is finished? > > To make it more permanent, put in /etc/sysconfig/iptables something like > this (note the default policy is drop, and packets are logged so you can > see who's being bounced). - -snip- Editing /etc/sysconfig/iptables is not such a good idea because it might trigger bugs in iptables' parser. Shouldn't happen too often. But also with regard to type errors, I wouldn't edit the file manually. The format of the file is the output of "iptables-save" and the input of "iptables-restore". Hence I recommend you insert rules on the command-line or with an ordinary shell script and then run "service iptables save" to save them to /etc/sysconfig/iptables. Then the rest applies what Iain has written. === To: psyche-list@listman.redhat.com From: Jack Bowling <jbinpg@shaw.ca> Subject: Re: Re[2]: IPTABLES question Date: Mon, 24 Feb 2003 14:02:10 -0800 On Mon, Feb 24, 2003 at 12:45:46PM -0800, Jesse Keating wrote: > On Monday 24 February 2003 12:43, Hans Scheffers wrote: > > Hello Jesse, > > What about outgoing? > > > > iptables -a OUTPUT -p tcp --sport 80 -d XXX.XXX.XXX.XXX > > maybe even including state=ESTABLISHED? Ummmm, guys. No way these rules are going to work without a jump target. So add: -j ACCEPT to the end of both given rules. jb === To: psyche-list@listman.redhat.com From: Jesse Keating <hosting@j2solutions.net> Subject: Re: Re[2]: IPTABLES question Date: Mon, 24 Feb 2003 16:18:47 -0800 On Monday 24 February 2003 14:02, Jack Bowling wrote: > Ummmm, guys. No way these rules are going to work without a jump target. > So add: > > -j ACCEPT > > to the end of both given rules. Whoops! I knew I was forgetting something (; === To: psyche-list@listman.redhat.com From: Ed.Greshko@greshko.com Subject: Re: Re[2]: IPTABLES question Date: Tue, 25 Feb 2003 08:49:01 +0800 On Mon, 24 Feb 2003, Jesse Keating wrote: > > Ummmm, guys. No way these rules are going to work without a jump target. > > So add: > > > > -j ACCEPT > > > > to the end of both given rules. > > Whoops! I knew I was forgetting something (; <shameless_plug> Thats one of the reasons I prefer to use shorewall. Well documented frontend to iptables. Doesn't forget a "key ingredient" (as my Grandmother used to do with her cookies). No need to learn the syntax yet you have every opportunity to learn about security. And, it has the facility to add your own iptables commands if you find a need/desire. <\shameless_plug> ===