"GBV" <[EMAIL PROTECTED]> writes: > I have an webserver on port 3321 > > how I can use iptables to deny(drop) all packages coming from internet??
[...] > Deny any request coming from eth0, destinated to this host on port > 3321 I had a bit of trouble interpretting what you really wanted answered. You should be a bit more specific about the machine's configuration and what you are looking to achive. None the less, I am going to *assume* that you do not want a default deny type setup, (though you probably should). Going on that assumption, to have your host drop all packets destined for a 3321/tcp listener on interface eth0. iptables -A INPUT -i eth0 -p tcp --dport 3321 -j DROP ...is one of many ways to do it and it assume that the input chains policy is ACCEPT. Let me reidirate, this is a _very_bad_ way to conscruct a firewall. A better arpproach would be to tell us what services you do want to provide, and to whom, the number of interfaces and their connections, etc. Then you set the default policy on all chains to DENY and open only those services you intend to provide and can secure. This is then a good place to start from, their are many other layers of security to consider, tcpwrappers, ALG's, etc. Perhaps this is a multihomed host and it has a web server on 3321/tcp and you only want it listening on the internal interface? Most daemons can be configured to bind to a specific addr as versus all available, though this in no way preclude the need to harden an Internet accessible system. You should consider all these angles. hope that, (at least mildly) helps, jereme -- +--------------------------------------------------------------+ Jereme Corrado <[EMAIL PROTECTED]> System Administrator Restorative Management Corp. gpg: 1024D/9C39E1F0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
