On Monday 18 March 2002 21.42, Tobias Breckle wrote:
hi list, i recently switched from personal-firewall to a self-made firewall script cause i want to share some ports (e.g. www) to the outside world. i decided to filter those ports and simply drop all other packets. to filter out the packets i use some code like this:
IPTABLES -N www
creates a new rule-chain called www
IPTABLES -A www -j ACCEPT
Appends an empty rule to the www chain with target ACCEPT. I think IPTABLES -P www ACCEPT would be a better way to do it.
IPTABLES -I INPUT -p tcp -m state --state NEW -i $INET_DEV --dport 80 -j www
Allows new connections to be made on port 80, but doesn't allow packets relating to already established connections. (--state ESTABLISHED). IPTABLES -I OUTPUT -p tcp -m state --state NEW -o $INET_DEV --dport 80
-j www
Allows you to connect to other web servers, but again not to actually communicate with them (again --state ESTABLISHED). Also, if this is the only output rule you have, note that outbound packets from your web server will not have --dport 80. User clients will always (?) be on high ports (> 1024). Perhaps --sport 80 was what you meant.
but it doesn't work. other outside clients say my servers port 80 is opened but they don't recieve anything when accessing it. from the internal lan all things work fine. does anyone know whats wrong?
thx in advance
[LAN-Power.net] Tobias Breckle