Instead of making the default policy DROP, why not keeping the default policy as ACCEPT and explicitly drop all traffic after you allow dport 80 and 8080? Something like: # Create your own chain for dropping and logging # iptables -N DROP_AND_LOG iptables -A DROP_AND_LOG -j LOG --log-level info --log-prefix "FW_UNATH: " iptables -A DROP_AND_LOG -j DROP iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 8080 -j ACCEPT iptables -A INPUT -i $YOUR_ETH_INT -j DROP_AND_LOG where YOUR_IP = your IP address YOUR_ETH_INT = the interface on which 80 and 8080 are listening (e.g. eth0) Let me know if this works for you, Andy. On Wed, 2003-10-01 at 22:17, Kevin Carlson wrote:
Dieter Maurer wrote:
Kevin Carlson wrote at 2003-9-30 23:25 -0400:
... The iptables rules I set up are as follows:
iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
Can you access Apache on port 80?
If so, check Apache proxying to Zope. I prefer Apache "RewriteRules" and they can be logged.
Yes, I can access Apache on port 80. I am using "RewriteRules" and have been looking at the logs and don't see anything odd. I just can't figure out why the iptables rules don't allow me to access sites that should only need port 80 to work. If I remove the first rule above, all works fine which tends to make me think that input through some other port is necessary. Makes no sense to me since I should only need port 80. Anyone out there using IPTables in front of an Apache/Zope configuration?
Kevin
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) --
Regards, Andrew Rechenberg Infrastructure Team, Sherman Financial Group 513.707.3809