[CentOS] iptables rules

Mon Mar 29 21:04:33 UTC 2010
Néstor <rotsen at gmail.com>

Maybe, I am not understanding you, but if you just want port 80 to be
available on each of those machines, all you needs is to have this in your
iptables:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT

:-)

On Mon, Mar 29, 2010 at 1:48 PM, <m.roth at 5-cent.us> wrote:

> I've got a server with several ip's on eth0. I want to block all traffic
> *except* to port 80 on them, but not on any other IPs, so that
> eth0 is www.xxx.yyy.zzz
> eth0:1 is www.xxx.yyy.ggg
> eth0:2 is www.xxx.yyy.hhh
>
> I've tried
> -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP
> -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP
>
> and restarted (and several variants of this). iptables-save displays
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [769:48207]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -d  www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j
> DROP
> -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 -j
> DROP
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> <...>
> and I notice it puts the ! in front of the --dport, but has no complaints.
>
> However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules?
>
>         mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20100329/1ea5b5d8/attachment-0005.html>