Re: Iptables Help
"GBV" <guilherme@plannercorretora.com.br> writes:
> I have an webserver on port 3321
>
> how I can use iptables to deny(drop) all packages coming from internet??
[...]
> Deny any request coming from eth0, destinated to this host on port
> 3321
I had a bit of trouble interpretting what you really wanted answered.
You should be a bit more specific about the machine's configuration
and what you are looking to achive.
None the less, I am going to *assume* that you do not want a default
deny type setup, (though you probably should). Going on that
assumption, to have your host drop all packets destined for a 3321/tcp
listener on interface eth0.
iptables -A INPUT -i eth0 -p tcp --dport 3321 -j DROP
...is one of many ways to do it and it assume that the input chains
policy is ACCEPT.
Let me reidirate, this is a _very_bad_ way to conscruct a firewall. A
better arpproach would be to tell us what services you do want to
provide, and to whom, the number of interfaces and their connections,
etc.
Then you set the default policy on all chains to DENY and open only
those services you intend to provide and can secure. This is then a
good place to start from, their are many other layers of security to
consider, tcpwrappers, ALG's, etc.
Perhaps this is a multihomed host and it has a web server on 3321/tcp
and you only want it listening on the internal interface? Most
daemons can be configured to bind to a specific addr as versus all
available, though this in no way preclude the need to harden an
Internet accessible system. You should consider all these angles.
hope that, (at least mildly) helps,
jereme
--
+--------------------------------------------------------------+
Jereme Corrado <jereme@restorative-management.com>
System Administrator
Restorative Management Corp.
gpg: 1024D/9C39E1F0
Reply to: