Quote:
Originally Posted by Jeiku
iptables -A INPUT -p tcp -s ! 192.168.10.5 --dport 80 -j REJECT
|
this is not such a good idea... you'd be sending answers to queries on the WAN side also... your best bet is to set the INPUT policy to DROP, and then use use more specific rules for your LAN, like this (assuming your LAN interface is eth1):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP -i eth1 -s 192.168.10.5 \
--dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth1 -s 192.168.10.0/24 \
--dport 80 -m state --state NEW -j REJECT
of course this assumes that you
want to send a REJECT to the non-authorized machines on your LAN so that they don't hang or whatever... cuz you really don't *need* any REJECT rule to do this, as the --dport 80 packets which aren't from 192.168.10.5 will run smack into the DROP policy either way...