On Monday 17 February 2003 02:43 am, Chris Barnes wrote: > hi people i'm new to the list. > > anyway, I have a very simple firewall on a web server. I want to deny > access to everything except the web server (port 80) > > i have set the poilcy on all chains to drop and i have added a rule to > the input chain which says > > iptables -A INPUT -p tcp --sport 80 -j ACCEPT > iptables -A OUTPUT -p tcp -j ACCEPT > what am i doing wrong or what is a better way to do this? > > thanks heaps for your help. You have to accept connections TO port 80, not FROM port 80... Try these: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT They will allow clients to connect and retrieve http documents, as well as allowing the very useful ICMP controls like source_quench fragmentation control and such that really make web browsing work properly, but no other communication in OR out is allowed by these rules. (assuming DROP policy on OUTPUT) Add appropriate ACCEPT rules to OUTPUT if the server needs to initiate connections for some reason. j
