On 3 May 2011 16:21, Hilco Wijbenga <email@example.com> wrote:
> Hi all,
> I'm attempting to set up a simple firewall on a virtual server. I have
> the following:
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT
> iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m
> state --state NEW -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A INPUT -j LOG
> iptables -A INPUT -j REJECT
> (And iptables -L shows that this setup has been accepted.)
> This was supposed to only allow my box (or at least my public IP)
> access to port 80 on this server. I can not access port 80 at all,
> however. (Please note that without --source it works as expected.)
> What am I doing wrong?
Mmmh, it does work after all. You have to be careful to restart
everything, I guess.
I've moved the --source to the SSH line. That works too but it seems
like I can only have 1 connection open at the same time. Sort of. I
have a reverse connection from a local server with a non-routable IP
to this public server. That works. But then I can't access the public
server anymore. If I kill the reverse connection and wait a few
minutes, I can login again. Switch the reverse connection back on ...
and I can't login anymore. Strange.
> On a related note, the logging only logs the packet, but no timestamp.
> Is that configurable somewhere?
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Archive: BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_email@example.com ">http://lists.debian.org/BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_firstname.lastname@example.org