Thanks & port 80 filtering by IP

Fri, 13 Oct 2000 20:49:03 -0700 

First, I wanted to thank those who have helped me get my firewall to the
point where it is now ("mostly working").
Thanks:
        Jerry Gregory
        Chad M. Stewart
        Ron Perry
        Larry Grover
        Drew Hunt
        Charles Galpin
        (Sorry if I forgot someone)


I used the Linux Firewall Design Tool
        (Robert L. Ziegler � 1998, 1999, 2000,
http://www.linux-firewall-tools.com/linux/firewall/)
to build a firewall, and everything is working fine, except my special port
80 rules.  I would like to keep everyone connecting to port 80 out, except
let some people who connect from approved IP address lists in.

I'll list the important part of my rc.firewall (since the whole of it is
quite large).  The problem is that even with the -j ACCEPT rules set for the
HTTP_ALLOW ip address, http connects from that address do not work.  (lynx
just hangs waiting for response).  But, the internal networks (10.x) can
access the HTTP fine (as they are supposed to be)--so I know httpd is at
least running correctly.  If I change the DENY's to ACCEPT, then it lets
everyone in (obviously), but I'm stumped.

Here are my rules:


    # ------------------------------------------------------------------

    # HTTP server (80)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
             --source-port $UNPRIVPORTS \
             -d $IPADDR 80 -j DENY
             #-d $IPADDR 80 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 80 \
             --destination-port $UNPRIVPORTS -j DENY
             #--destination-port $UNIVPORTS -j ACCEPT

        #now add some accept code for those who *are* allowed into http
server.

echo "Begin HTTP Stealth mode..."

HTTP_ALLOW=216.65.141.217/32

        ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
                -s $HTTP_ALLOW $UNPRIVPORTS \
                -d $IPADDR 80 -j ACCEPT

        ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
                -s $IPADDR 80 \
                -d $HTTP_ALLOW $UNPRIVPORTS -j ACCEPT

echo "...End HTTP Stealth mode"



    # HTTP client (80)
    # ----------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 80 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             --source-port 80 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------


Again, thanks for all of your help.

Dan Browning
Network & Database Administrator
Cyclone Computer Systems



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to