On Monday 29 March 2010 16:48, m.roth@xxxxxxxxx wrote: > I've got a server with several ip's on eth0. I want to block all traffic > *except* to port 80 on them, but not on any other IPs, so that > eth0 is www.xxx.yyy.zzz > eth0:1 is www.xxx.yyy.ggg > eth0:2 is www.xxx.yyy.hhh > > I've tried > -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP > -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP The problem is your firewall is no firewall. It blocks nothing and allows everything. > *filter > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [769:48207] > :RH-Firewall-1-INPUT - [0:0] By setting all the default policies to ACCEPT you are blocking nothing. > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j > DROP -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 > -j DROP -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > <...> > and I notice it puts the ! in front of the --dport, but has no complaints. > > However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules? See above. Try these rules I'm sure you will get better results. And yes, I dropped the stupid RH-Firewall-1-INPUT BS that RH puts in there. Lets make a stateful firewall while we are at it also. #Set policies to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Setup OUTPUT Rules to allow everything outbound iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I OUTPUT -m state --state NEW -j ACCEPT iptables -I OUTPUT -j DROP # Setup INPUT Rules to only all what we want iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -I INPUT -j DROP Sure you can combined the output rules into one but I like it this way in case I need to block something from exiting the system. You can use this tutorial to better define your rules, for example the icmp rule you have above you can fine tune this to only allow what is needed. Just remember that the rules are read from top to bottom and the first matching rules is used. http://www.zoominternet.net/~lazydog/iptables-tutorial.html -- Regards Robert Linux User #296285 http://counter.li.org _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos