[H-GEN] An iptables question ...

Thu Sep 19 02:12:24 EDT 2002

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thu, 19 Sep 2002, Bradley Marshall wrote:

> [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> On Thu, 19 Sep 2002, Ewan Edwards wrote:
>
> > Since I'm normally a very helpful and cooperative person, I'd like to do
> > something to help ease their concerns.  The best solution I've thought of so
> > far, is for my server to simply drop all packets destined for port 80, if
> > those packets come from an address outside that one subnet in the Brisbane
> > office.
>
> The best idea would be to properly firewall the box, so only
> the services that you wish to provide are open to who you
> want to provide them to.

You took the words right out my mouth Brad.

> Assuming you've gotten the appropriate things compilied into
> your kernel, the following command should do something like
> what you want.  I'll leave it to the reader to decide where

The reader may wish to put the firewall up before the web server comes up
or a window of opportunity it opened for an attack.

> You'd need to invert the sense of the source if you do the right
> thing and set the default policy to DROP.

If no one has made any suggestions Ewan, I'm happy to give some pointers
later (a bit tied down at work right now).  If I don't post something in a
few hours nudge me :)

Cheers,
	-Rob

-- Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
   Linux counter project ID #16440 (http://counter.li.org)
   "The earth is but one country and mankind its citizens" -Baha'u'llah

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/