On Fri, 6 Jun 2003, Ruprecht Helms wrote:
Hi,
how have I to define iptablerules that a webserver can be reaches in the internet and on the webserver itselve are able to use port 80 and port 53.
All other ports without port 80 should not be available.
Here is a copy of my firewall that does what you want to do. You need to open a hole to access port 53, BEFORE dropping all other port access. Regards K. Roberts USE AT YOUR OWN RISK!!! #! /bin/bash # file-id: [path to firewall script] # # custom script to start iptables packet filter firewall rules # # run this script from /etc/boot.local # # last updated 19-05-2003 # #------------------------------------------------------# echo; echo "======================================================================="; echo "Running [path to firewall script]" echo " - Initial status of firewall is:" echo "======================================================================="; echo; #------------------------------------------------------# # list initial status of iptables iptables -L -v # flush ALL rules in ALL kernel packet filtering tables # and clear packet & byte counters iptables -F # delete ALL user-defined chains in packet filter tables iptables -X #------------------------------------------------------# echo; echo "======================================================================="; echo "Policy of firewall chains INPUT, FORWARD, OUTPUT" echo "should now be ACCEPT" echo "======================================================================="; echo; #------------------------------------------------------# # re-list status of packet filtering tables iptables -L -v #------------------------------------------------------# echo; echo "======================================================================="; echo "Starting and setting-up my own custom firewall now!" echo "======================================================================="; echo; #------------------------------------------------------# #------------------------------------------------------# # create a new chain for apache connections #------------------------------------------------------# iptables -N open_port_80 # LOG all remote connections coming in on ppp0 to apache port 80 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 -j LOG --log-prefix 'Remote Port 80 connects ' # ACCEPT all remote connections coming in on ppp0 to apache port 80 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 -j ACCEPT # LOG all local connections to apache port 80 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 -j LOG --log-prefix 'Local Port 80 connects ' # ACCEPT all local connections to apache port 80 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 -j ACCEPT #------------------------------------------------------# # create new chain that blocks all other # new connection attempts coming in from ppp0 #------------------------------------------------------# iptables -N block # LOG all other new connection attempts coming from ppp0 iptables -A block -i ppp0 -m state --state NEW -j LOG --log-prefix 'DROPPED NEW CONNS ON PPP0 ' # DROP all new connection attempts coming from ppp0 and not for apache web server iptables -A block -i ppp0 -m state --state NEW -j DROP #------------------------------------------------------# # jump to various chains from INPUT and FORWARD chains #------------------------------------------------------# iptables -A INPUT -j open_port_80 iptables -A INPUT -j block iptables -A FORWARD -j block #------------------------------------------------------# echo; echo "======================================================================="; echo "New status of firewall using my own custom rules is:" echo "======================================================================="; echo; #------------------------------------------------------# # re-list status of packet filtering tables iptables -L -v # exit with a valid code exit 0 #------------------------------------------------------# # end of firewall #