iptables rules

mark m.roth at 5-cent.us
Mon Mar 29 23:53:12 UTC 2010 

Geofrey Rainey wrote:
> I find the best way for me to troubleshoot this sort of stuff is adding
> a log rule just before any drop rule:
> 
> IPTABLES -A RH-Firewall-1-INPUT -j LOG
> 
> Then you can tailf /var/log/messages and see all the details about the
> blocked/dropped packets etc.
> 
THANK YOU! I was just trying to remember how to get logging going.

	mark "trying it tomorrow"
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Genco Yilmaz
> Sent: Tuesday, 30 March 2010 10:33 a.m.
> To: General Red Hat Linux discussion list
> Subject: Re: iptables rules
> 
> On Mon, Mar 29, 2010 at 11:03 PM, <m.roth at 5-cent.us> wrote:
> 
>>>> I've got a server with several ip's on eth0. I want to block all
> traffic
>>>> *except* to port 80 on them, but not on any other IPs, so that
>>>> eth0 is www.xxx.yyy.zzz
>>>> eth0:1 is www.xxx.yyy.ggg
>>>> eth0:2 is www.xxx.yyy.hhh
>>> How about:
>>>
>>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp --dport 80
> -j
>>> ACCEPT
>>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -j DROP
>>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp --dport 80
> -j
>>> ACCEPT
>>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -j DROP
>>>
>>> .. I don't follow which ones are supposed to allow other traffic and
>> which
>>> ones aren't .. but this syntax should work for the allow port 80
> only
>>> portion.
>> Yeah, I thought of that set, also, and the other was my manager's
>> suggestion. I've tried that, also, and still no joy.
>>
>> *grump* (not you, just iptables....)
>>
>>         mark
>>
>>
> Hi Mark,
>    iptables is cool:) First of all make sure that loaded rules are
> matching
> your iptables file and no NAT rule is involved
> which might have already changed destination address. It is better if
> you
> send the following output;
> 
> iptables -L -n -v
> iptables -t nat -L -n -v
> 
> 
> Genco.


-- 
Ann Coulter: I'd like to be FDR, so I could not bring in the New Deal.
Al Franken: I'd like to be Hitler, so I could not bringthe Holocaust, and WWII, 
and....

More information about the redhat-list mailing list