IPtables - How to allow only web access to everyone and deny all other services?
 

I am using RHEL5. Please let me know what is wrong with I am doing?
(This is only for learning purpose)
iptables -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT
---ditto for udp---
iptables -A INPUT -s 0/0 -j REJECT
---ditto for udp--

but this does not work..is this wrong...? According to my logic, the first matching rule will be satisfied and then only the second rule will be read by the iptables...
thanks

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Try, this may be fine because all the INPUT & FORWARD are dropped and then we are allowing ports(i feel this is good practices to handle the packets)

Actually

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

just sets the default Policy to apply at the END of the ruleset ie if the pkt has not already been matched.
http://www.governmentsecurity.org/fo...showtopic=1356

thanks for your responses..could you pls explain what is the thing I am going wrong..and why it is not working...

What makes you think it is wrong? Give us an explicit example/proof in detail.