ban external access to specific services with iptables?

tbeehler · 07-17-2008, 11:43 AM

Hello all,

I am getting attempts on a couple of services that run on my server, and these services don't need to be accessed from the outside world.

So, I have tried the following:

iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport 80 -j DROP

to no avail. How do I get iptables to ban access from the outside world to these services, but allow internal access?

I imagine I'm off by just a bit in my above line, but any help would be appreciated! Thanks in advance!

Tinkster · 07-17-2008, 01:29 PM

Need more input. What interfaces has the machine got, are
ports being forwarded to it or is it on the perimeter and
dual homed?

tbeehler · 07-17-2008, 01:44 PM

Quote:

Originally Posted by Tinkster

Need more input. What interfaces has the machine got, are
ports being forwarded to it or is it on the perimeter and
dual homed?

Sorry about that.

There's two interfaces eth0 (internal) and eth1 (external).

There's no port forwarding.

david1941 · 07-17-2008, 03:49 PM

Since you want the external interface to drop port 80 and you have existing rules (Maybe not - try /sbin/iptables -L to see the current rules) Use an insert to put your new rule first.

iptables -I INPUT -i eth1 -p tcp --dport 80 -j DROP

Dave

Oops -- use -i eth1 for your external interface

tbeehler · 07-17-2008, 04:38 PM

Quote:

Originally Posted by david1941

Since you want the external interface to drop port 80 and you have existing rules (Maybe not - try /sbin/iptables -L to see the current rules) Use an insert to put your new rule first.

iptables -I INPUT -i eth1 -p tcp --dport 80 -j DROP

Dave

Oops -- use -i eth1 for your external interface

That worked perfectly, thanks! I knew it was something simple, just couldn't get my head around it. Sometimes we just have those days.

Thanks again!