LinuxQuestions.org - [SOLVED] iptables

- Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)

- - iptables (http://www.linuxquestions.org/questions/linux-networking-3/iptables-942684/)

What is the difference in between the two commands?
I want to block all data(tcp) comming from the internet(www)to my network. But allow data going from my network to internet.

iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 --syn -j DROP

iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 --dport 80 -s 0/0 -j ACCEPT

Personally I find it easier (where applicable)to filter routed traffic by interfaces. rather than IP's/subnets. I find it centers how I think about how my rules work.
An example

Code:

-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -p tcp -i $Wan_If -o $Lan_If --dport 80 -j DROP

This will drop packets coming from the internet to the local network
I am guessing that you aren't doing egress filtering (ie filtering outgoing traffic), so the following rule probably isn't necessary. But this will allow locally generated traffic out to the internet

Code:

-A FORWARD -p tcp -i $Wan_If -o $Lan_If --dport 80 -j DROP

Also, this link is well worth reading a couple of times, and so is the iptables manpage.

Thanks. The link has almost everything about firewall configuring.. Its a great help.