IPTABLES is driving me crazy!!! :P

Fri Dec 20 17:52:20 CST 2002

Yes, you just have to specifically name that website - by ip address, network
address, or hostname. Note that rules are added to the table in the order they
are given (if using the -A append option). A packet traverses each rule in a
chain until it finds a rule it matches. So make sure if you want to specifically
drop a host, do it before any ACCEPT rules or else an ACCEPT rule may let
packets thru that you don't want. It's always a good idea to flush your rules to
give yourself a clean slate and then add the rules you want in the sequence that
they should be traversed. -Jeremy

> -----Original Message-----
> From: Advancewarning [mailto:advancewarning at swbell.net]
> Sent: Friday, December 20, 2002 11:38 AM
> To: Jeremy Fowler; KCLUG
> Subject: Re: IPTABLES is driving me crazy!!! :P
>
>
> so by if by default I drop everything and allow web in .  Is there a way I
> can just drop a certain website?
>
>
> Mike
> ----- Original Message -----
> From: "Jeremy Fowler" <jfowler at westrope.com>
> To: "Advancewarning" <advancewarning at swbell.net>; "KCLUG" <kclug at kclug.org>
> Sent: Friday, December 20, 2002 10:49 AM
> Subject: RE: IPTABLES is driving me crazy!!! :P
>
>
> > When you set a chain's policy to DROP all packets are dropped, unless you
> add a
> > specific rule to accept those certain types of packets. So if you want
> Internet
> > access, you have to accept those types of packet - specifically outgoing
> TCP
> > packets with a destination port of 80 and then add a rule for the state
> engine
> > to accept the incoming reply packets.
> >
> > So
> >
> > # Drop *all* packets going across the FORWARD chain
> > iptables -P FORWARD DROP
> > # Except for RELATED and ESTABLISHED packets
> > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > # Except for NEW TCP packets with destination port 80
> > iptables -A FORWARD -m state NEW -p TCP --dport 80 -j ACCEPT
> >
> >
> >
> > Then just continue to add rules that accept only the types of packets you
> want
> > thru. This may sound extremely complex at first, and it is. It just takes
> time
> > to understand the syntax, structure, and meaning of each rule. Remember,
> > firewall rules is both an art and a science. Getting proficient and
> getting the
> > rules right just takes time. Read the HOWTOs on netfilter.org, search
> google for
> > sample iptables firewall scripts (some people call them rc.firewall), and
> > experiment. Remember this should be fun, so take your time.
> >
> >
> >
> >
> > -----Original Message-----
> > From: owner-kclug at marauder.illiana.net
> > [mailto:owner-kclug at marauder.illiana.net]On Behalf Of Advancewarning
> > Sent: Thursday, December 19, 2002 11:09 PM
> > To: KCLUG
> > Subject: IPTABLES is driving me crazy!!! :P
> >
> >
> > First thing is first I want to set up all the Policys so that by default
> they
> > DROP. I did that.
> >
> > For some reason as soon as I set FORWARD to DROP I no longer have
> INTERNET!
> >
> > If I leave it as ACCEPT it works
> >
> > Another thing is how do I get Apache to work? the only way it will is if I
> set
> > all thePolicies to ACCEPT.
> >
> > Also if I set OUTPUT to DROP I loose SSH capability.
> >
> > This is what I have set in order for it to work.  Is there something I am
> > missing here in order for all these to be set to DROP to work properly?
> >
> >
> > Chain INPUT (policy DROP)
> > target     prot opt source               destination
> > LOG        all  --  anywhere             anywhere           LOG level
> warning
> > ACCEPT     all  --  muldersworld         advancewarning.net
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > ACCEPT     all  --  anywhere             anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> >
> > Thanks!
> > Mike
> >
> >
> >
>