On Thursday 02 January 2003 09:49 am, JUSTIN GERRY wrote: > I tried your suggestions below and yes, I finally have two websites > working on the same box. Simplifying things does indeed work. > > Is there a way to, by default drop everything on the output chain, but > insert a rule to allow only http requests that were initialed by a > client to either website? > > Or if my input rules are sufficient, do I really need to do anything > on the output chain other than let everthing out? > > Thanks, > Justin If you trust that nothing on the box is or ever will connect that you don't want to, then output chain can just have an ACCEPT policy. If you want to lock down to make it harder for a trojan or such to communicate back from the box, you can set a DROP policy, then: iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT will let traffic back out in response to client requests, but not let the box initiate any connections. If this tighter firewall still allows the needed connections, why open up any further? I'd suggest you might want to log dropped output traffic, though, to see what DOES try to get out. Depending on your usage and plans, you might want to open a few outbounds, like traceroute, ping, CVS, http, or ftp access FROM the box if you want to use these services when logged into the box, for updating software etc. Of course you can just allow those connections when needed, and the rest of the time go with DROP policy and the EST/REL rule above. j
