Maybe, I am not understanding you, but if you just want port 80 to be available on each of those machines, all you needs is to have this in your iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT :-) On Mon, Mar 29, 2010 at 1:48 PM, <m.roth at 5-cent.us> wrote: > I've got a server with several ip's on eth0. I want to block all traffic > *except* to port 80 on them, but not on any other IPs, so that > eth0 is www.xxx.yyy.zzz > eth0:1 is www.xxx.yyy.ggg > eth0:2 is www.xxx.yyy.hhh > > I've tried > -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP > -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP > > and restarted (and several variants of this). iptables-save displays > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [769:48207] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j > DROP > -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 -j > DROP > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > <...> > and I notice it puts the ! in front of the --dport, but has no complaints. > > However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules? > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20100329/1ea5b5d8/attachment-0005.html>