[H-GEN] An iptables question ...

Ewan Edwards Ewan.Edwards at mincom.com
Thu Sep 19 00:47:53 EDT 2002


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]


... from someone who knows _almost_ nothing about iptables or ipchains or any 
other IP filtering stuff.

I have an http server on a machine on the company network (inside the 
firewall) where security from crackers (script kiddies etc.) is not an issue. 
 I have configured Apache to deny access to all IP addresses except one 
subnet in the Brisbane office.  So any address outside that subnet trying to 
access the server via http receives a "Forbidden" message.  This in itself is 
good, except ...

There are some individuals in another office (the other side of the router) 
who do regular scans of the network and are now expressing concerns about the 
existence of a device "that presents itself at port 80".  The IP address of 
that device is the address of my server running RedHat 7.3 Linux.  

Since I'm normally a very helpful and cooperative person, I'd like to do 
something to help ease their concerns.  The best solution I've thought of so 
far, is for my server to simply drop all packets destined for port 80, if 
those packets come from an address outside that one subnet in the Brisbane 
office.

Now, since I know almost nothing (not absolutely nothing) about iptables I 
reckon there's a very simple way to achieve this using iptables.  

So, the obvious question:  How?  

Should any of you kind knowledgeable souls be considering answering this 
question, please note that I'm a strong believer in the KISS (keep it simple, 
stupid) principle.  This is mainly because I'm not smart enough to understand 
it otherwise.

Best regards to you all, and thanks in advance for any responses.

Ewan

-- 
Ewan Edwards BE MIEAust CPEng MCSE
Systems Administrator
MineStar Solutions
Ewan.Edwards at mincom.com
Telephone: +61 (0) 7 3303 3554
Facsimile: +61 (0) 7 3303 3470
___________________________________________________________________

Growing old may be mandatory, but growing up is still optional.
___________________________________________________________________


-- 
This transmission is for the intended addressee only and is confidential information.  If you have received this transmission in error, please delete it and notify the sender.  The contents of this e-mail are the opinion of the writer only and are not endorsed by the Mincom Group of companies unless expressly stated otherwise.


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list