[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables filtering ports under nat

Diego Lilioso escribió:

You'd be use FORWARD chain in the table filter.

POSTROUTING and PREROUTING is in the nat table.

# The first rule allow traffic in port tcp/80
/sbin/iptables -A FORWARD -s <> -p tcp --dport 80 -j ACCEPT

# The second rule allow the trafic inbound to <> source from port tcp/80. /sbin/iptables -A FORWARD -d <> -p tcp --sport 80 -j ACCEPT

# The third rule drop all trafics in all ports and protocols.
/sbin/iptables -A FORWARD -s <>  -j DROP

Best Regards,
Diego Lilioso

2008/10/16 James Shupe <shupej@hermetek.com <mailto:shupej@hermetek.com>>


    You'd be better off with a DROP policy where you could just use:

    /sbin/iptables .... -d $EXTERNAL_HOST -p 80 -j ACCEPT

    With your ACCEPT policy, just use inverse:

    /sbin/iptables .... -d ! $EXTERNAL_HOST -p 80 -j DROP

    "-p 80" needs to be "-p tcp --dport 80". Not sure how I overlooked it.

    James Maurice Shupe       | HermeTek Network Solutions
    shupej@hermetek.com <mailto:shupej@hermetek.com>       | *NIX
    Consulting and Hosting
    GPG signed mail preferred | http://www.hermetek.com
    Plain text mail preferred | 1.866.325.6207

    Key fingerprint: D484 EACC 9D0F A2A5 5277 C4A8 5704 1987 A938 DF3A

    This Email is covered by the Electronic Communications Privacy Act,
    18 U.S.C. 2510-2521 and is legally privileged. The information
    contained in this Email is intended only for use of the individual
    or entity named above. If the reader of this message is not the intended
    recipient, or the employee or agent responsible to deliver it to the
    intended recipient, you are hereby notified that any dissemination,
    distribution or copying of this communication is strictly prohibited.
    If you have received this communication in error, please immediately
    notify us by telephone 1.866.325.6207 and destroy the original message.

    On Thu, 2008-10-16 at 15:27 -0400, Luis Rondon Paz wrote:
     > hello everyone i have a question
     > i have this in my iptables
     > EXT_IF=eth1
     > #############
     > /sbin/iptables -t nat -A POSTROUTING -s
    <> -o $EXT_IF -j MASQUERADE
     > now
     > how can i DROP ALL TRAFIC FROM IP <>
    ??? exept port 80 to one
     > external ip ?
     > example
     > i neeed to drop all traffic
     > and  i need to allow the traffic to one address only
     > how can i do that Ç????
     > /sbin/iptables -t nat -A POSTROUTING -s
     > -o $EXT_IF -j  ACCEPT
     > /sbin/iptables -t nat -A POSTROUTING -s
    <> -d <> -o $EXT_IF
     > -j  DROP ???
     > thanks for reading me .

Hi, I am new on this list.
I'm from argentina.
I think that if he only can use the 80/tcp port for surf, the rule

/sbin/iptables -A FORWARD -d -p tcp --sport 80 -j ACCEPT

isn't necesary, with rule

iptables -t filter -A FORWARD -s -d 0/0 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT

it gonna work fine, if the FORWARD policy is DROP.


Reply to: