You're welcome. This little add-on is pretty useful to: -A RH-Firewall-1-INPUT -j LOG --log-prefix "<text to prepend to log entry>" Yeah I was just fiddling around with this myself last night actually on my Linux firewall at home trying to solve a problem :) -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of mark Sent: Tuesday, 30 March 2010 12:53 p.m. To: General Red Hat Linux discussion list Subject: Re: iptables rules Geofrey Rainey wrote: > I find the best way for me to troubleshoot this sort of stuff is adding > a log rule just before any drop rule: > > IPTABLES -A RH-Firewall-1-INPUT -j LOG > > Then you can tailf /var/log/messages and see all the details about the > blocked/dropped packets etc. > THANK YOU! I was just trying to remember how to get logging going. mark "trying it tomorrow" > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Genco Yilmaz > Sent: Tuesday, 30 March 2010 10:33 a.m. > To: General Red Hat Linux discussion list > Subject: Re: iptables rules > > On Mon, Mar 29, 2010 at 11:03 PM, <m.roth@xxxxxxxxx> wrote: > >>>> I've got a server with several ip's on eth0. I want to block all > traffic >>>> *except* to port 80 on them, but not on any other IPs, so that >>>> eth0 is www.xxx.yyy.zzz >>>> eth0:1 is www.xxx.yyy.ggg >>>> eth0:2 is www.xxx.yyy.hhh >>> How about: >>> >>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp --dport 80 > -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -j DROP >>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp --dport 80 > -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -j DROP >>> >>> .. I don't follow which ones are supposed to allow other traffic and >> which >>> ones aren't .. but this syntax should work for the allow port 80 > only >>> portion. >> Yeah, I thought of that set, also, and the other was my manager's >> suggestion. I've tried that, also, and still no joy. >> >> *grump* (not you, just iptables....) >> >> mark >> >> > Hi Mark, > iptables is cool:) First of all make sure that loaded rules are > matching > your iptables file and no NAT rule is involved > which might have already changed destination address. It is better if > you > send the following output; > > iptables -L -n -v > iptables -t nat -L -n -v > > > Genco. -- Ann Coulter: I'd like to be FDR, so I could not bring in the New Deal. Al Franken: I'd like to be Hitler, so I could not bringthe Holocaust, and WWII, and.... -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list ========================================================== For more information on the Television New Zealand Group, visit us online at tvnz.co.nz ========================================================== CAUTION: This e-mail and any attachment(s) contain information that is intended to be read only by the named recipient(s). This information is not to be used or stored by any other person and/or organisation. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
