[H-GEN] An iptables question ...
Bradley Marshall
zzbramar at uqconnect.net
Thu Sep 19 01:02:31 EDT 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
On Thu, 19 Sep 2002, Ewan Edwards wrote:
> Since I'm normally a very helpful and cooperative person, I'd like to do
> something to help ease their concerns. The best solution I've thought of so
> far, is for my server to simply drop all packets destined for port 80, if
> those packets come from an address outside that one subnet in the Brisbane
> office.
The best idea would be to properly firewall the box, so only
the services that you wish to provide are open to who you
want to provide them to.
> So, the obvious question: How?
Assuming you've gotten the appropriate things compilied into
your kernel, the following command should do something like
what you want. I'll leave it to the reader to decide where
to put it so it runs on boot, I don't run RH. This also
assumes that you have a default policy of ACCEPT. x.y.z.0/24
is obviously the Brisbane office subnet.
$IPTABLES -I INPUT -p tcp -s ! x.y.z.0/24 --dport 80 -j DROP
You'd need to invert the sense of the source if you do the right
thing and set the default policy to DROP.
Thanks,
Brad
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| Bradley Marshall | http://www.uq.net.au/~zzbramar |
| System/Network Admin| brad at humbug.org.au |
| Plugged In Software | bmarshal at pisoftware.com |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
``I'm not ashamed. Its the computer age. Nerds are in.'' - Willow (BtVS)
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list