I am trying to allow web server traffic from internal only. When I do this:

I get this error:

eth1 = lan interface on server. Referring to the man pages for iptables:

Isn't this a network name?

Also, is this rule the best way of accomplishing this?

Network name doesn't mean interface name. It simply means that you can specify a mask. For instance, 10.0.0.0/24. -i (in) or -o (out) work with interface names - depending on how the data flows.

With IP spoofing, is there a more secure way of doing this?

I tried the -o option, and it said: Can't use -o with INPUT

It would go from internal interface (eth1) to wan interface (eth0). Let me know if this helps.

Please don't write a post for each idea you're coming up with. Just edit the initial post or wait for the answer. You've already stated three different things.

INPUT chains refers only to packets received by the server itself. You don't use INPUT if you want your machine to act as a router (forwarding packets), which you seem to imply in your last post. So what are you trying to do exactly? Is this a web server that you'd like to access only from your LAN? If that's the case, then I don't understand what you mean by going from internal to wan. It should be only internal and that's that.

INPUT only works with -i, because you're receiving packets through an interface. OUTPUT goes with -o.

Sorry.

I have pi hole listening on the wan interface, but maybe I should change that to lan, and this would be easier/make more sense?

I've no idea what pi hole is. I just did a quick search on the internet - some advertisment stuff. How would anyone know where you'd like it to listen? WAN is internet, LAN is your private network. You're jumping from one thing to another and you haven't reacted to either of my posts and you probably haven't tried anything after my suggestions.

You are correct in saying that I'd like to access it only from my lan. What would be the iptable rule to allow it to respond only to local requests?

Having quickly read (again) about pi hole, I understand that it works as a DNS server which filters ads by simply dropping packets from ad servers (kind of like OpenDNS). This has nothing to do with allowing ports 80, 443 in iptables. The only thing you need to do is to allow udp, tcp port 53 in lan (which I'm guessing is already allowed, but to answer your question, yes, allow it on LAN, not WAN - unless you're looking to access it from the internet, which I doubt) and then set up your computers to use the pi hole as the DNS server. Then it should works directly. Ideally, you could simply add the pi-hole ip on your dhcp server (probably included in your home router) as the single DNS server used by your network devices, so that you don't need to manually configure each - especially the phones which would be somewhat harder and annoying to do.

The reason for 80/443 is the admin/gui/stats interface website that it provides. I've tried adding this rule:
But the website loads not only internally, but also on my wan external IP, which is NOT what I want.

What is the output of iptables -vnL INPUT?

Do you believe it is another rule, in addition to the rule, that is causing the external ip to load the webpage?

Well I would strongly suggest at least learning the basics of iptables. For instance, here: https://www.digitalocean.com/communi...s-and-commands
The rule you're trying to add doesn't have much of an impact, because you're already allowing everything. You should either change your INPUT policy to DROP, or add an explicit reject/drop rule at the end of your chain. You might also want to add ssh access (at least from the LAN?) to it. So you'd need udp/tcp 53 and tcp 22, 80, 443.

Do other chains need an explicit reject/drop rule at the end as well?