Re: iptables rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Geofrey Rainey wrote:
I find the best way for me to troubleshoot this sort of stuff is adding
a log rule just before any drop rule:

IPTABLES -A RH-Firewall-1-INPUT -j LOG

Then you can tailf /var/log/messages and see all the details about the
blocked/dropped packets etc.

THANK YOU! I was just trying to remember how to get logging going.

	mark "trying it tomorrow"
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Genco Yilmaz
Sent: Tuesday, 30 March 2010 10:33 a.m.
To: General Red Hat Linux discussion list
Subject: Re: iptables rules

On Mon, Mar 29, 2010 at 11:03 PM, <m.roth@xxxxxxxxx> wrote:

I've got a server with several ip's on eth0. I want to block all
traffic
*except* to port 80 on them, but not on any other IPs, so that
eth0 is www.xxx.yyy.zzz
eth0:1 is www.xxx.yyy.ggg
eth0:2 is www.xxx.yyy.hhh
How about:

-A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp --dport 80
-j
ACCEPT
-A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -j DROP
-A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp --dport 80
-j
ACCEPT
-A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -j DROP

.. I don't follow which ones are supposed to allow other traffic and
which
ones aren't .. but this syntax should work for the allow port 80
only
portion.
Yeah, I thought of that set, also, and the other was my manager's
suggestion. I've tried that, also, and still no joy.

*grump* (not you, just iptables....)

        mark


Hi Mark,
   iptables is cool:) First of all make sure that loaded rules are
matching
your iptables file and no NAT rule is involved
which might have already changed destination address. It is better if
you
send the following output;

iptables -L -n -v
iptables -t nat -L -n -v


Genco.


--
Ann Coulter: I'd like to be FDR, so I could not bring in the New Deal.
Al Franken: I'd like to be Hitler, so I could not bringthe Holocaust, and WWII, and....

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux