On Mon, 9 Apr 2012, =?ISO-8859-1?Q?Terry_N?= wrote:
Hi,
after so many attempts of unsuccessfully restricted and allowed specified
domain from accessing my vhost, I tried the firewall. Firewall did not
work. Not sure where I messed it up. See below, port 80, REJECT ip_address
wasn't working. That IP address was my laptop:
<snip apache bits...>
FIREWALL:
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth+ -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
So far so good...
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
These rule will accept all traffic from lo or any interface with a name
starting with eth...
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -s 192.168.1.xyz --dport 80 -j REJECT
This attempt to reject the traffic from 192.168.1.xyz to tcp port 80 will
have no effect if the traffic came from lo or eth+ ... For this to have
an effect you probably want to move it above the accepts on eth+ !
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -o eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
This INPUT rule is out of the *usual* order but quite valid, it will
reject inbound traffic, but not for anything which has already been dealt
with, ie anything on an interface not matching lo or eth+ (pppN or bridges
for example).
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
If you run iptables-save after loading your rules you will see the current
rules in a format you can easily/quickly load back in.
Using:
iptables -nvL INPUT
will show usage counts for each rule, which can help catch some errors
(e.g a rule having 0 uses probably means that all traffic it would match
is already handled by a rule earlier in the chains)...
-- Jon
