iptables rules
Geofrey Rainey
Geofrey.Rainey at tvnz.co.nz
Mon Mar 29 22:22:27 UTC 2010
I find the best way for me to troubleshoot this sort of stuff is adding
a log rule just before any drop rule:
IPTABLES -A RH-Firewall-1-INPUT -j LOG
Then you can tailf /var/log/messages and see all the details about the
blocked/dropped packets etc.
-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Genco Yilmaz
Sent: Tuesday, 30 March 2010 10:33 a.m.
To: General Red Hat Linux discussion list
Subject: Re: iptables rules
On Mon, Mar 29, 2010 at 11:03 PM, <m.roth at 5-cent.us> wrote:
> >> I've got a server with several ip's on eth0. I want to block all
traffic
> >> *except* to port 80 on them, but not on any other IPs, so that
> >> eth0 is www.xxx.yyy.zzz
> >> eth0:1 is www.xxx.yyy.ggg
> >> eth0:2 is www.xxx.yyy.hhh
> >
> > How about:
> >
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp --dport 80
-j
> > ACCEPT
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -j DROP
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp --dport 80
-j
> > ACCEPT
> > -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -j DROP
> >
> > .. I don't follow which ones are supposed to allow other traffic and
> which
> > ones aren't .. but this syntax should work for the allow port 80
only
> > portion.
>
> Yeah, I thought of that set, also, and the other was my manager's
> suggestion. I've tried that, also, and still no joy.
>
> *grump* (not you, just iptables....)
>
> mark
>
>
Hi Mark,
iptables is cool:) First of all make sure that loaded rules are
matching
your iptables file and no NAT rule is involved
which might have already changed destination address. It is better if
you
send the following output;
iptables -L -n -v
iptables -t nat -L -n -v
Genco.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
==========================================================
For more information on the Television New Zealand Group, visit us
online at tvnz.co.nz
==========================================================
CAUTION: This e-mail and any attachment(s) contain information that
is intended to be read only by the named recipient(s). This information
is not to be used or stored by any other person and/or organisation.
More information about the redhat-list
mailing list