RE: Thanks & port 80 filtering by IP

Dan Browning Fri, 13 Oct 2000 21:23:24 -0700
Woo hoo!

Thanks again to Chad M. Stewart, he's solved my (retarded) problem!  I will
write on the chalkboard three hundred times:

ipchains uses the first rules that matches
ipchains uses the first rules that matches
ipchains uses the first rules that matches
ipchains uses the first rules that matches
ipchains uses the first rules that matches
...

All I had to do was reverse the order of my code, like the following.  Now I
have an awesome firewall.  If anyone was wondering why I would want to do
such an allow thing, it happens to have something to do with AT&T's @Home
cable restrictions.  (e.g. you are not allowed to run an HTTP server or FTP
server).

Thanks again.

(Here is my working code...)

#Write our ACCEPT rule before our Deny rule.
#HTTP_ALLOW is the addresses that can access port 80

echo "Begin HTTP Allow..."
        HTTP_ALLOW=216.65.141.217/32
        ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
                -s $HTTP_ALLOW $UNPRIVPORTS \
                -d $IPADDR 80 -j ACCEPT

        ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
                -s $IPADDR 80 \
                -d $HTTP_ALLOW $UNPRIVPORTS -j ACCEPT
echo "...End HTTP Allow"



    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
             --source-port $UNPRIVPORTS \
             -d $IPADDR 80 -j DENY
             #-d $IPADDR 80 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 80 \
             --destination-port $UNPRIVPORTS -j DENY
             #--destination-port $UNIVPORTS -j ACCEPT




> -----Original Message-----
> From: Chad M. Stewart [mailto:[EMAIL PROTECTED]]
> Sent: Friday, October 13, 2000 9:06 PM
> To: Dan Browning; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Thanks & port 80 filtering by IP
>
>
> At 08:52 PM 10/13/2000 -0700, Dan Browning wrote:
> >First, I wanted to thank those who have helped me get my
> firewall to the
> >point where it is now ("mostly working").
> >Thanks:
> >         Jerry Gregory
> >         Chad M. Stewart
> >         Ron Perry
> >         Larry Grover
> >         Drew Hunt
> >         Charles Galpin
> >         (Sorry if I forgot someone)
> >
>
> Your welcome.
>
>
> >I used the Linux Firewall Design Tool
> >         (Robert L. Ziegler © 1998, 1999, 2000,
> >http://www.linux-firewall-tools.com/linux/firewall/)
> >to build a firewall, and everything is working fine, except
> my special port
> >80 rules.  I would like to keep everyone connecting to port
> 80 out, except
> >let some people who connect from approved IP address lists in.
> >
> >I'll list the important part of my rc.firewall (since the
> whole of it is
> >quite large).  The problem is that even with the -j ACCEPT
> rules set for the
> >HTTP_ALLOW ip address, http connects from that address do
> not work.  (lynx
> >just hangs waiting for response).  But, the internal
> networks (10.x) can
> >access the HTTP fine (as they are supposed to be)--so I know
> httpd is at
> >least running correctly.  If I change the DENY's to ACCEPT,
> then it lets
> >everyone in (obviously), but I'm stumped.
> >
> >Here are my rules:
> >
> >
> >     #
> ------------------------------------------------------------------
> >
> >     # HTTP server (80)
> >     # ----------------
> >     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
> >              --source-port $UNPRIVPORTS \
> >              -d $IPADDR 80 -j DENY
> >              #-d $IPADDR 80 -j ACCEPT
> >
> >     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> >              -s $IPADDR 80 \
> >              --destination-port $UNPRIVPORTS -j DENY
> >              #--destination-port $UNIVPORTS -j ACCEPT
> >
> >         #now add some accept code for those who *are*
> allowed into http
> >server.
> >
> >echo "Begin HTTP Stealth mode..."
> >
> >HTTP_ALLOW=216.65.141.217/32
> >
> >         ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> >                 -s $HTTP_ALLOW $UNPRIVPORTS \
> >                 -d $IPADDR 80 -j ACCEPT
> >
> >         ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> >                 -s $IPADDR 80 \
> >                 -d $HTTP_ALLOW $UNPRIVPORTS -j ACCEPT
> >
> >echo "...End HTTP Stealth mode"
> >
>
>
> If this is truly how your rules are being executed, then your saying
>
> A) Keep everyone out
> B) Let hTTP_ALLOW in.
>
> The first rule that matches is used, i.e. A) keep everyone out.
>
>
> Regards,
> Chad
>
>
>
>
>
> >     # HTTP client (80)
> >     # ----------------
> >     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
> >              -s $IPADDR $UNPRIVPORTS \
> >              --destination-port 80 -j ACCEPT
> >
> >     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
> >              --source-port 80 \
> >              -d $IPADDR $UNPRIVPORTS -j ACCEPT
> >
> >     #
> ------------------------------------------------------------------
> >
> >
> >Again, thanks for all of your help.
> >
> >Dan Browning
> >Network & Database Administrator
> >Cyclone Computer Systems
>
>



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Thanks & port 80 filtering by IP

Reply via email to
