[ale] Using iptables

Michael H. Warfield mhw at WittsEnd.com
Sun Jun 25 00:32:57 EDT 2006


On Sat, 2006-06-24 at 23:33 -0400, Terry Bailey wrote:
> I would like to use iptables to restrict all but one IP address to a web 
> server.
> 
> I tried
> 
> 	#/usr/sbin/iptables -t filter -A INPUT -p tcp -s !218.23.45.2 --dport 80 
> -j DROP

> but this is not accepted.

	What means "this is not accepted"?  Did you get an error (actually, I
suspect you did) or did it just not work (which it probably won't even
if you get past the error I suspect).  There are no errors "this is not
accepted".  Be specific, be detailed, and be precise.  We are not mind
readers.

	That being said, I can anticipate two sources of errors.  One is that
you used a "-A" which would append to the end of the INPUT chain.  If
there are any other preceding rules (which, by default, there are) that
accept the "--dport 80" then you won't even get that far and your rule
will have NULL effect.  Try a "-I" instead of "-A" to insert at the head
of the chain instead of appending to the end.

	If, OTOH, you got an error on the command like "command 218 not found"
or such, you need to watch that "!" on a command.  The "bang" character
is an escape to history.  That could have tried to look for command
number 218 in your history and tried to substitute it.  Either escape
that bang ("\!") or put that parameter in single quotes.

	Either or both of the above two errors would basically screw you over
big time.  But, from your description, I can't tell if either apply.  If
could be either or both or something totally different.

	Now...  If either of the above two kludges ring the bell, you are done.
If they don't, then, next time, post the exact and literal error
messages you get ("this is not accepted" is "not acceptable") and,
especially if you don't get an error, the output from "iptables -L
INPUT".  Maybe we can make an educated guess without invoking Houdini.

> Any help here would be appreciated.

> Thanks,

> Terry Bailey

	Regards,
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list