deny http access based on IP on FC3
Tim
ignored_mailbox at yahoo.com.au
Sat Jan 28 12:21:57 UTC 2006
yonas abraham:
>>>> I wouldn't mind blocking every service to that IP in my machine but
>>>> preferably only httpd block.
Andy Green:
>>> iptables -I INPUT -p tcp --dport 80 -s 123.123.123.123 -j DROP
>>> service iptables save
>>>
>>> will do what you need. Leave out the --dport 80 to make the guy coming
>>> from 123.123.123.123 unable to touch your box at all in tcp.
Neil Cherry:
>> But be aware that he may still be able to get to your UDP services.
A separate udp rule can be set up along the same lines (drop all UDP
traffic from that IP).
Jeff Vian:
> if you use the line such as
> iptables -I INPUT -s 123.123.123.123 -j DROP
> he wont be able to get to ANY services.
Correct, you'd want to make a rule that blocks all but port 80 (i.e. if
not port 80, drop), which is simple enough. Something *like* the
following:
iptables -I INPUT -s 123.123.123.123 \! --dport 80 -j DROP
--
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
More information about the fedora-list
mailing list