Thanks to you and to the other gentleman. That fixed me and seems to be working perfectly.
Thanks,
Glenn
On Thu, 2003-08-14 at 06:17, Chris Wilson wrote:
Hi Glenn, > I have my rules setup the way I would guess they should be based on 5 > tutorials, 1 book and the man pages. However, I still can't seem to get > the thing to do what I want. Could someone please help me? > > I will make this very simple: > 1) I want to allow all incoming requests to port 80 > 2) I want to allow all outgoing requests .... period. > > I want to drop all other incoming requests not addressed to port 80. Did you see Rob Sterenborg's response to your previous post? The ruleset which you sent didn't appear to be complete. You also don't mention if the machine you're running the firewall on is the same one that's running the web server, and that you're trying to make outgoing requests from. Assuming that it is, the following rules should work: iptables -F iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -m state --state established -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT If, on the other hand, you have another network behind your Linux box, and machines on that network need to get through the Linux box to the Internet, then you will need the following additional rules: iptables -A FORWARD -i <internal-interface> -o <external-interface> \ -j ACCEPT iptables -A FORWARD -m state --state established -j ACCEPT and if the internal machines have private IP addresses: iptables -t nat -A POSTROUTING -o <external-interface> -j MASQUERADE By the way, I don't like my first impression of your challenge-response spam filter. You might want to try SpamAssassin, it's much less intrusive to people trying to e-mail you. Cheers, Chris.
-- Glenn Hancock SofTek Software International, Inc. 813 Pavilion Court T: 678-583-5720 I: ghancock@xxxxxxxxxxxxxxxxxx www.softeksoftware.com www.Spambite.com NOTE: My email address is currently protected by Spambite. If you send me an email, you will be asked to validate your email address on the Spambite network AND re-send you original email to me. Or, you can pro-actively register your email address on the Spambite network by visiting the website: www.spambite.com When visiting the website, please feel free to look around to learn about this exciting new technology. |
