LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: iptables + vhost access
From:	Jon Peatfield <[log in to unmask]>
Reply To:	Jon Peatfield <[log in to unmask]>
Date:	Tue, 10 Apr 2012 21:28:49 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (67 lines)

On Mon, 9 Apr 2012, =?ISO-8859-1?Q?Terry_N?= wrote:

> Hi,
> after so many attempts of unsuccessfully restricted and allowed specified
> domain from accessing my vhost, I tried the firewall.  Firewall did not
> work.  Not sure where I messed it up.  See below, port 80, REJECT ip_address
> wasn't working.  That IP address was my laptop:
<snip apache bits...>

> FIREWALL:
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth+ -j MASQUERADE
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT

So far so good...

> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth+ -j ACCEPT

These rule will accept all traffic from lo or any interface with a name 
starting with eth...

> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -s 192.168.1.xyz --dport 80 -j REJECT

This attempt to reject the traffic from 192.168.1.xyz to tcp port 80 will 
have no effect if the traffic came from lo or eth+ ...  For this to have 
an effect you probably want to move it above the accepts on eth+ !

> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth+ -j ACCEPT
> -A FORWARD -o eth+ -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited

This INPUT rule is out of the *usual* order but quite valid, it will 
reject inbound traffic, but not for anything which has already been dealt 
with, ie anything on an interface not matching lo or eth+ (pppN or bridges 
for example).

> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT

If you run iptables-save after loading your rules you will see the current 
rules in a format you can easily/quickly load back in.

Using:

   iptables -nvL INPUT

will show usage counts for each rule, which can help catch some errors 
(e.g a rule having 0 uses probably means that all traffic it would match 
is already handled by a rule earlier in the chains)...

  -- Jon

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV