Hi, I'm in the middle of trying to build a secure webserver, using stock woody (2.4.18-bf2.4), the box is completely updates from last night. I install just the base (never used deselect or taskselect) during the install, Once it was installed, I have installed:
apache php4 ssh dnsutils lynx iptables (choose not to run the init.d script) The machine can surf the web no problem and accept inbound port 80 and 22 connections from other boxes on the same subnet. (the box is at present not locked down, as I'm making sure certain configurations work, then I will reinstall off the network and build it up that way.) I decided to test iptables, using a very,very basic script below: #/bin/bash /sbin/modprobe iptables /sbin/modprobe ipt_state /sbin/modprobe ip_conntrack /sbin/iptables -F /sbin/iptables -X /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT I can do outbound nslookup requests no problem, but it now fails to allow inbound connections at all, to either port 80 or port 22. I have another box (this one is running redhat 8), which I'm replacing with debian woody, so I killed that and loaded on a bloat riddled basic rh install, ran the same script and that works as expected, allowing inbound connections, all the same modules are loaded. Just for the record, I'm running a woody/sarge/sid mix on my laptop and that does the same as my test woody box, it just refused to accept inbound connections This is driving my mad, can anyone possibly point me in the right direction, as it seems there may be something debian specific that I'm missing. cheers in advance Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]