-   Linux - Networking (
-   -   iptables (

sourav garai 05-01-2012 04:30 AM

What is the difference in between the two commands?
I want to block all data(tcp) comming from the internet(www)to my network. But allow data going from my network to internet.

iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d --syn -j DROP

iptables -A FORWARD -m tcp -p tcp -d --dport 80 -s 0/0 -j ACCEPT

fukawi1 05-01-2012 06:59 AM

Personally I find it easier (where applicable)to filter routed traffic by interfaces. rather than IP's/subnets. I find it centers how I think about how my rules work.
An example

-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -i $Wan_If -o $Lan_If --dport 80 -j DROP

This will drop packets coming from the internet to the local network
I am guessing that you aren't doing egress filtering (ie filtering outgoing traffic), so the following rule probably isn't necessary. But this will allow locally generated traffic out to the internet

-A FORWARD -p tcp -i $Wan_If -o $Lan_If --dport 80 -j DROP
Also, this link is well worth reading a couple of times, and so is the iptables manpage.

sourav garai 05-01-2012 01:46 PM

Thanks. The link has almost everything about firewall configuring.. Its a great help.

All times are GMT -5. The time now is 03:53 AM.