[ale] Using iptables
Michael H. Warfield
mhw at WittsEnd.com
Sun Jun 25 00:40:47 EDT 2006
On Sun, 2006-06-25 at 00:23 -0400, Jim Popovitch wrote:
> Terry Bailey wrote:
> > I would like to use iptables to restrict all but one IP address to a web
> > server.
> >
> > I tried
> >
> > #/usr/sbin/iptables -t filter -A INPUT -p tcp -s !218.23.45.2 --dport 80
> > -j DROP
> >
> > but this is not accepted.
> >
> > Any help here would be appreciated.
> I've never used "!" in iptables statements, but this should work for you:
> iptables -A INPUT -p tcp -s 218.23.45.2 --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j DROP
Won't work if he's already got a rule in his tables that accepts port
80 first. The -A appends after everything. If he's got a -A ... --port
80 ... -j ACCEPT in his /etc/sysconfig/iptables file (assuming he's
using RedHat or FC or CentOS or any similar compatible flavor) then
another -A after that won't do jack. I've seen this too often where
someone has a set of tables and expect an add-on rule to work when it
never gets that far because a preceding rule takes precedence.
> hth,
>
> -Jim P.
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list