Re: Firewall/iptables question
- To: Debian Users <email@example.com>
- Subject: Re: Firewall/iptables question
- From: Hilco Wijbenga <firstname.lastname@example.org>
- Date: Tue, 3 May 2011 18:34:39 -0700
- Message-id: <BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_email@example.com>
- In-reply-to: <BANLkTi=9iR+SE-w2Fd_mJq4R-PDGVgoh_A@mail.gmail.com>
- References: <BANLkTi=9iR+SE-w2Fd_mJq4R-PDGVgoh_A@mail.gmail.com>
On 3 May 2011 16:21, Hilco Wijbenga <firstname.lastname@example.org> wrote:
> Hi all,
> I'm attempting to set up a simple firewall on a virtual server. I have
> the following:
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT
> iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m
> state --state NEW -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A INPUT -j LOG
> iptables -A INPUT -j REJECT
> (And iptables -L shows that this setup has been accepted.)
> This was supposed to only allow my box (or at least my public IP)
> access to port 80 on this server. I can not access port 80 at all,
> however. (Please note that without --source it works as expected.)
> What am I doing wrong?
Mmmh, it does work after all. You have to be careful to restart
everything, I guess.
I've moved the --source to the SSH line. That works too but it seems
like I can only have 1 connection open at the same time. Sort of. I
have a reverse connection from a local server with a non-routable IP
to this public server. That works. But then I can't access the public
server anymore. If I kill the reverse connection and wait a few
minutes, I can login again. Switch the reverse connection back on ...
and I can't login anymore. Strange.
> On a related note, the logging only logs the packet, but no timestamp.
> Is that configurable somewhere?