Maybe, I am not understanding you, but if you just want port 80 to be available on each of those machines, all you needs is to have this in your iptables:<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br>
<br>:-)<br><br><div class="gmail_quote">On Mon, Mar 29, 2010 at 1:48 PM, <span dir="ltr"><<a href="mailto:m.roth@5-cent.us">m.roth@5-cent.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I've got a server with several ip's on eth0. I want to block all traffic<br>
*except* to port 80 on them, but not on any other IPs, so that<br>
eth0 is www.xxx.yyy.zzz<br>
eth0:1 is www.xxx.yyy.ggg<br>
eth0:2 is www.xxx.yyy.hhh<br>
<br>
I've tried<br>
-A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP<br>
-A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP<br>
<br>
and restarted (and several variants of this). iptables-save displays<br>
<br>
*filter<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [769:48207]<br>
:RH-Firewall-1-INPUT - [0:0]<br>
-A INPUT -j RH-Firewall-1-INPUT<br>
-A FORWARD -j RH-Firewall-1-INPUT<br>
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br>
-A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j DROP<br>
-A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 -j DROP<br>
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT<br>
<...><br>
and I notice it puts the ! in front of the --dport, but has no complaints.<br>
<br>
However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules?<br>
<br>
mark<br>
<br>
_______________________________________________<br>
CentOS mailing list<br>
<a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>
<a href="http://lists.centos.org/mailman/listinfo/centos" target="_blank">http://lists.centos.org/mailman/listinfo/centos</a><br>
</blockquote></div><br>