[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: iptables rules



I find the best way for me to troubleshoot this sort of stuff is adding
a log rule just before any drop rule:

IPTABLES -A RH-Firewall-1-INPUT -j LOG

Then you can tailf /var/log/messages and see all the details about the
blocked/dropped packets etc.

-----Original Message-----
From: redhat-list-bounces redhat com
[mailto:redhat-list-bounces redhat com] On Behalf Of Genco Yilmaz
Sent: Tuesday, 30 March 2010 10:33 a.m.
To: General Red Hat Linux discussion list
Subject: Re: iptables rules

On Mon, Mar 29, 2010 at 11:03 PM, <m roth 5-cent us> wrote:

> >> I've got a server with several ip's on eth0. I want to block all
traffic
> >> *except* to port 80 on them, but not on any other IPs, so that
> >> eth0 is www.xxx.yyy.zzz
> >> eth0:1 is www.xxx.yyy.ggg
> >> eth0:2 is www.xxx.yyy.hhh
> >
> > How about:
> >
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp --dport 80
-j
> > ACCEPT
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -j DROP
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp --dport 80
-j
> > ACCEPT
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -j DROP
> >
> > .. I don't follow which ones are supposed to allow other traffic and
> which
> > ones aren't .. but this syntax should work for the allow port 80
only
> > portion.
>
> Yeah, I thought of that set, also, and the other was my manager's
> suggestion. I've tried that, also, and still no joy.
>
> *grump* (not you, just iptables....)
>
>         mark
>
>
Hi Mark,
   iptables is cool:) First of all make sure that loaded rules are
matching
your iptables file and no NAT rule is involved
which might have already changed destination address. It is better if
you
send the following output;

iptables -L -n -v
iptables -t nat -L -n -v


Genco.
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
==========================================================
For more information on the Television New Zealand Group, visit us
online at tvnz.co.nz 
==========================================================
CAUTION:  This e-mail and any attachment(s) contain information that
is intended to be read only by the named recipient(s).  This information
is not to be used or stored by any other person and/or organisation.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]