-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 11 Mar 2003 22:45:17 +0800, [EMAIL PROTECTED] wrote:
> Hello to you, > > After the following "iptables-rules" on Linux Redhat 7.2 Server : > > /etc/rc.d/rc.local : > iptables -F > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j > DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT > iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP > > Then, the Internet users they can only to use the port numbers ( > services ) : 80 ( Web ) and 53 ( DNS )... > > On Linux Redhat 6.x Server, we can only to use "ipchains-rules" > function : You cannot compare iptables and ipchains easily, because in above rules you used features which are not available with ipchains. > ipchains -F > ipchains -A input -i eth0 -p tcp --dport 80 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 53 -j ACCEPT > ipchains -A input -i eth0 -p udp --dport 53 -j ACCEPT > > But, how can we only allow users to use port numbers ( services ) : 80 ( > Web ) and 53 ( DNS )... ? Be sure to look into setting the "default policies" or add rules at the end of a chain that drop all other traffic (DENY or REJECT). Observe that a connection has two end-points and that at each end-point, data are both received _and_ sent. In your example of a web server, your machine receives incoming traffic at _destination_ port 80, but sends outgoing traffic from _source_ port 80. So, what you want is to disallow everything and allow only traffic _to_ and _from_ your ports 80 and 53. Add: ipchains --policy input DENY ipchains --policy output DENY ## Allow outgoing traffic from your HTTP/DNS server. ipchains -A output -i eth0 -p tcp --sport 80 -j ACCEPT ipchains -A output -i eth0 -p tcp --sport 53 -j ACCEPT ipchains -A output -i eth0 -p udp --sport 53 -j ACCEPT ## Debugging rules. ipchains -A input -s 0/0 -d 0/0 -l -j REJECT ipchains -A output -s 0/0 -d 0/0 -l -j REJECT Note however, that your set of rules is incomplete, and you would want to allow access to the loopback device, for instance. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+bfxa0iMVcrivHFQRAljZAJsEcN0NuqDMFkx/WvE52fvihQDPNwCbBEHX dtH4UjwKSJHjouSxi4neSjk= =Ur5s -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
