I've got a server with several ip's on eth0. I want to block all traffic *except* to port 80 on them, but not on any other IPs, so that eth0 is www.xxx.yyy.zzz eth0:1 is www.xxx.yyy.ggg eth0:2 is www.xxx.yyy.hhh
I've tried -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP
and restarted (and several variants of this). iptables-save displays
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [769:48207] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT <...> and I notice it puts the ! in front of the --dport, but has no complaints.
However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules?
mark
Maybe, I am not understanding you, but if you just want port 80 to be available on each of those machines, all you needs is to have this in your iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
:-)
On Mon, Mar 29, 2010 at 1:48 PM, m.roth@5-cent.us wrote:
I've got a server with several ip's on eth0. I want to block all traffic *except* to port 80 on them, but not on any other IPs, so that eth0 is www.xxx.yyy.zzz eth0:1 is www.xxx.yyy.ggg eth0:2 is www.xxx.yyy.hhh
I've tried -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP
and restarted (and several variants of this). iptables-save displays
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [769:48207] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT <...> and I notice it puts the ! in front of the --dport, but has no complaints.
However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules?
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Maybe, I am not understanding you, but if you just want port 80 to be available on each of those machines, all you needs is to have this in your iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
:-)
I want to drop *anything* other than to port 80.
mark
On Monday 29 March 2010 16:48, m.roth@5-cent.us wrote:
I've got a server with several ip's on eth0. I want to block all traffic *except* to port 80 on them, but not on any other IPs, so that eth0 is www.xxx.yyy.zzz eth0:1 is www.xxx.yyy.ggg eth0:2 is www.xxx.yyy.hhh
I've tried -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP
The problem is your firewall is no firewall. It blocks nothing and allows everything.
*filter
:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [769:48207] :RH-Firewall-1-INPUT - [0:0]
By setting all the default policies to ACCEPT you are blocking nothing.
-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT <...> and I notice it puts the ! in front of the --dport, but has no complaints.
However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules?
See above. Try these rules I'm sure you will get better results. And yes, I dropped the stupid RH-Firewall-1-INPUT BS that RH puts in there. Lets make a stateful firewall while we are at it also.
#Set policies to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
#Setup OUTPUT Rules to allow everything outbound iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I OUTPUT -m state --state NEW -j ACCEPT iptables -I OUTPUT -j DROP
# Setup INPUT Rules to only all what we want iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -I INPUT -j DROP
Sure you can combined the output rules into one but I like it this way in case I need to block something from exiting the system.
You can use this tutorial to better define your rules, for example the icmp rule you have above you can fine tune this to only allow what is needed. Just remember that the rules are read from top to bottom and the first matching rules is used.
http://www.zoominternet.net/~lazydog/iptables-tutorial.html
-
Eero Volotinen -
m.roth@5-cent.us -
Néstor -
Paul Stuffins -
Robert Spangler