Jon, your input works like a charm. Thank you![?] On Tue, Apr 10, 2012 at 4:28 PM, Jon Peatfield < j.s.peatfi...@damtp.cam.ac.uk> wrote:
> On Mon, 9 Apr 2012, =?ISO-8859-1?Q?Terry_N?= wrote: > > Hi, >> after so many attempts of unsuccessfully restricted and allowed specified >> domain from accessing my vhost, I tried the firewall. Firewall did not >> work. Not sure where I messed it up. See below, port 80, REJECT >> ip_address >> wasn't working. That IP address was my laptop: >> > <snip apache bits...> > > > FIREWALL: >> >> *nat >> :PREROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> -A POSTROUTING -o eth+ -j MASQUERADE >> COMMIT >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> > > So far so good... > > > -A INPUT -i lo -j ACCEPT >> -A INPUT -i eth+ -j ACCEPT >> > > These rule will accept all traffic from lo or any interface with a name > starting with eth... > > > -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT >> -A INPUT -p tcp -s 192.168.1.xyz --dport 80 -j REJECT >> > > This attempt to reject the traffic from 192.168.1.xyz to tcp port 80 will > have no effect if the traffic came from lo or eth+ ... For this to have an > effect you probably want to move it above the accepts on eth+ ! > > > -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A FORWARD -p icmp -j ACCEPT >> -A FORWARD -i lo -j ACCEPT >> -A FORWARD -i eth+ -j ACCEPT >> -A FORWARD -o eth+ -j ACCEPT >> -A INPUT -j REJECT --reject-with icmp-host-prohibited >> > > This INPUT rule is out of the *usual* order but quite valid, it will > reject inbound traffic, but not for anything which has already been dealt > with, ie anything on an interface not matching lo or eth+ (pppN or bridges > for example). > > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited >> COMMIT >> > > If you run iptables-save after loading your rules you will see the current > rules in a format you can easily/quickly load back in. > > Using: > > iptables -nvL INPUT > > will show usage counts for each rule, which can help catch some errors > (e.g a rule having 0 uses probably means that all traffic it would match is > already handled by a rule earlier in the chains)... > > -- Jon >
<<328.png>>
