On Tue, Oct 30, 2007 at 05:09:50PM +0100, Erik Persson wrote: > Hello! > > I have a server which is running 2 different virtual hosts (vserver), let's > call them S for the server, A and B for the virtual hosts A and B. > S, A and B have different ip-addresses (say s.s.s.s, a.a.a.a and b.b.b.b). > > Since the server isn't really forwarding anything I haven't used the > FORWARD chain for anything, and I use INPUT and OUTPUT to regulate the flow > to the different servers, for example: > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > iptables -I INPUT -d a.a.a.a -p tcp --dport 80 -j ACCEPT > on the server > seems to do what I want. In the example above letting A and only A answer > requests on port 80. > > However, when I try to regulate the flow of traffic between the different > "machines" (S, A, and B) strange things happen. > > For example: > iptables -I OUTPUT -d a.a.a.a -p tcp --dport 25 -j ACCEPT > doesn't only allow any of the "machines" to try to contact port 25 on A, > but it *also allows A to answer* !!! if by answer, you mean respond to the same request, then that is appropriate, IIUC. The rules relate to *new* requests, not responses to existing ones. That's why when you block port 80 inbound, you can still recieve packets -- they match up to outbound requests your browser has made. I think that's right. A
Attachment:
signature.asc
Description: Digital signature