Dave- iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT
Appending these to your other rules should work. The rules are applied in order, so a packet from localhost will match the accept rule and be accepted, and all others will reach the reject rule. Casey -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Smith Sent: Wednesday, April 02, 2003 10:58 PM To: [EMAIL PROTECTED] Subject: [uug] iptables to disallow remote connection In an effort to secure my proxy filter, I'd like to disallow connections to ports 8080 and 3128 from remote hosts, that is I only want to allow access from 127.0.01. Can anyone specify an iptables rule to accomplis this. I've posted below my existing rules: #!/bin/bash OUT_INTERFACE=eth0 IN_INTERFACE=eth1 echo Flushing and initializing iptables... iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain echo Setting up IP-masquerading/NAT... iptables --table nat --append POSTROUTING --out-interface $OUT_INTERFACE -j MASQUERADE iptables --append FORWARD --in-interface $IN_INTERFACE -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward echo Blocking dangerous ports... # Allow loopback access. This rule must come before the rules denying port access!! iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT # Block specific port numbers iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT # Block Windows file sharing iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT # Block Windows file sharing # Special protection iptables -A INPUT -p all -s localhost -i $OUT_INTERFACE -j DROP echo Setting up redirection for transparent proxy... # This redirects all web requests (port 80) to DansGuardian (port 8080) iptables -t nat -A PREROUTING -i $IN_INTERFACE -p tcp --dport 80 -j REDIRECT --to-port 8080 DATE=`date` echo "At $DATE, your firewall was restarted." | sendmail [EMAIL PROTECTED] echo Done! ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
