[ale] IP table question
Michael H. Warfield
mhw at WittsEnd.com
Tue Sep 12 11:47:27 EDT 2006
On Tue, 2006-09-12 at 11:23 -0400, Terry Bailey wrote:
>
> The following line on a web server with IP of 192.168.1.50 allows my
> computer with IP of 192.168.1.100 to access the web site of the
> server. But it also allows access via https from my computer. I thought
> https used another port. Could someone explain this?
Correct. 443/tcp is used for https.
> iptables -I INPUT -p tcp --dport 80 -s ! 192.168.1.100 -j DROP
This rule has no impact on port 443. It only matches on port 80. You
haven't specified a rule for port 443.
Because of they way you have this written, port 443 is not impacted at
all and, unless it's dropped elsewhere, open for everyone, not just
192.168.1.100. This rule fires only if the destination port is 80/tcp
AND the source address IS NOT 192.168.1.100. If either of those
conditions are not true, port other than 80/tcp OR source address IS
than 192.168.1.100, then the rule fails and you fail through. So, if
the destination port is anything other than 80, the address test has no
effect (logical OR) and the rule fails and you pass through. So you
don't drop anything for any other port, regardless of the source
address.
Not sure what you are trying to do here but I doubt it's what you wrote
there. You're leaving everything open (subject to other rules) other
than port 80? You'll probably need multiple rules and, then, probably
frame it as a series of "-j ACCEPTS" followed by a catchall "DROP".
> The server is running Fedora.
>
>
> Thanks,
>
> Terry Bailey
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list