Subject: | |
From: | |
Reply To: | |
Date: | Tue, 10 Apr 2012 21:28:49 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Mon, 9 Apr 2012, =?ISO-8859-1?Q?Terry_N?= wrote:
> Hi,
> after so many attempts of unsuccessfully restricted and allowed specified
> domain from accessing my vhost, I tried the firewall. Firewall did not
> work. Not sure where I messed it up. See below, port 80, REJECT ip_address
> wasn't working. That IP address was my laptop:
<snip apache bits...>
> FIREWALL:
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth+ -j MASQUERADE
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
So far so good...
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth+ -j ACCEPT
These rule will accept all traffic from lo or any interface with a name
starting with eth...
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -s 192.168.1.xyz --dport 80 -j REJECT
This attempt to reject the traffic from 192.168.1.xyz to tcp port 80 will
have no effect if the traffic came from lo or eth+ ... For this to have
an effect you probably want to move it above the accepts on eth+ !
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth+ -j ACCEPT
> -A FORWARD -o eth+ -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
This INPUT rule is out of the *usual* order but quite valid, it will
reject inbound traffic, but not for anything which has already been dealt
with, ie anything on an interface not matching lo or eth+ (pppN or bridges
for example).
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
If you run iptables-save after loading your rules you will see the current
rules in a format you can easily/quickly load back in.
Using:
iptables -nvL INPUT
will show usage counts for each rule, which can help catch some errors
(e.g a rule having 0 uses probably means that all traffic it would match
is already handled by a rule earlier in the chains)...
-- Jon
|
|
|