On 3 May 2011 16:21, Hilco Wijbenga <hilco.wijbe...@gmail.com> wrote: > Hi all, > > I'm attempting to set up a simple firewall on a virtual server. I have > the following: > > iptables --flush > iptables -t nat --flush > iptables -t mangle --flush > iptables --policy INPUT DROP > iptables --policy OUTPUT ACCEPT > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT > iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m > state --state NEW -j ACCEPT > iptables -A INPUT -p icmp -j ACCEPT > iptables -A INPUT -j LOG > iptables -A INPUT -j REJECT > > (And iptables -L shows that this setup has been accepted.) > > This was supposed to only allow my box (or at least my public IP) > access to port 80 on this server. I can not access port 80 at all, > however. (Please note that without --source it works as expected.) > > What am I doing wrong?
Mmmh, it does work after all. You have to be careful to restart everything, I guess. I've moved the --source to the SSH line. That works too but it seems like I can only have 1 connection open at the same time. Sort of. I have a reverse connection from a local server with a non-routable IP to this public server. That works. But then I can't access the public server anymore. If I kill the reverse connection and wait a few minutes, I can login again. Switch the reverse connection back on ... and I can't login anymore. Strange. > On a related note, the logging only logs the packet, but no timestamp. > Is that configurable somewhere? > > Cheers, > Hilco > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_=g...@mail.gmail.com