Rechenberg, Andrew wrote:
Instead of making the default policy DROP, why not keeping the default policy as ACCEPT and explicitly drop all traffic after you allow dport 80 and 8080?
This works great! The only issue that I have now is that some of the connections that our application makes to external servers via port 443 get blocked when the outside server wants to send data back in over the same connection. I'm sure this has something to do with iptables state management and allowing ESTABLISHED / RELATED traffic like I've seen for FTP. Overall this was exactly what I was looking for. Thanks!
Something like:
# Create your own chain for dropping and logging # iptables -N DROP_AND_LOG iptables -A DROP_AND_LOG -j LOG --log-level info --log-prefix "FW_UNATH: " iptables -A DROP_AND_LOG -j DROP
iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 8080 -j ACCEPT iptables -A INPUT -i $YOUR_ETH_INT -j DROP_AND_LOG