On Sunday 19 May 2002 1:10 pm, nir cohen wrote: > I have another question for you:I try to establish iptables with a feature > that I know the Isa -Microsoft server can do and call web publishing.
I do not know about this feature or this software. > First, we have to make sure that our firewall still protects the internal > webserver and that only the external webserver is allowed to retrieve data > from it. For a packet-filtering firewall we could for instance configure a > firewall ruleset like the following: > ALLOW Host www.quux-corp.dom Port >1024 --> Host www2.quux-corp.dom Port 80 > DENY Host * Port * --> Host www2.quux-corp.dom Port 80 To do this in netfilter, you could try something like: iptables -A FORWARD -p tcp -s aa.bb.cc.dd -d ww.xx.yy.zz --dport 80 -j ACCEPT iptables -A FORWARD -d ww.xx.yy.zz -j DROP where aa.bb.cc.dd is the IP address of your 'external' server (I hope it's really on a DMZ, not completely outside the firewall.....), and ww.xx.yy.zz is the IP address of your internal server. These rules will allow the ext. server to access port 80 of the int. server, and will not allow anything else to access the int. server. If this doesn't fix your problem please remember that this is an iptables / netfilter mailing list, not apache (and definitely not anything Microsoft !). Antony.
