LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-06-2009, 02:03 PM   #1
rajeshkerala
Member
 
Registered: Mar 2008
Posts: 35

Rep: Reputation: 15
IPtables - How to allow only web access to everyone and deny all other services?


I am using RHEL5. Please let me know what is wrong with I am doing?
(This is only for learning purpose)
iptables -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT
---ditto for udp---
iptables -A INPUT -s 0/0 -j REJECT
---ditto for udp--

but this does not work..is this wrong...? According to my logic, the first matching rule will be satisfied and then only the second rule will be read by the iptables...
thanks
 
Old 07-06-2009, 02:24 PM   #2
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,274

Rep: Reputation: 148Reputation: 148
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Try, this may be fine because all the INPUT & FORWARD are dropped and then we are allowing ports(i feel this is good practices to handle the packets)
 
Old 07-06-2009, 06:23 PM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,374

Rep: Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383
Actually

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

just sets the default Policy to apply at the END of the ruleset ie if the pkt has not already been matched.
http://www.governmentsecurity.org/fo...showtopic=1356
 
Old 07-06-2009, 11:37 PM   #4
rajeshkerala
Member
 
Registered: Mar 2008
Posts: 35

Original Poster
Rep: Reputation: 15
thanks for your responses..could you pls explain what is the thing I am going wrong..and why it is not working...
 
Old 07-06-2009, 11:44 PM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,374

Rep: Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383
What makes you think it is wrong? Give us an explicit example/proof in detail.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ban external access to specific services with iptables? tbeehler Linux - Software 4 07-17-2008 04:38 PM
IPtables: Can not access web server from outside the firewall livetoday Red Hat 2 12-31-2007 04:40 AM
Deny a host access to all services objorkum Linux - Networking 5 08-17-2007 02:54 PM
deny ssh access from lan with iptables NuLLiFiEd Linux - Security 10 12-01-2005 07:11 PM
Deny some users access to the web with IPtables? osX-linux Linux - Networking 4 06-22-2003 01:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration