From: Joel Newkirk <netfilter@newkirk.us>
To: JUSTIN GERRY <JGERRY@butchers.com>, roy@karlsbakk.net
Cc: netfilter@lists.netfilter.org
Subject: Re: Trying to setup two ethernet cards with two websites
Date: Thu, 2 Jan 2003 10:21:07 -0500 [thread overview]
Message-ID: <200301021021.07838.netfilter@newkirk.us> (raw)
In-Reply-To: <se140b47.055@butchers.com>
On Thursday 02 January 2003 09:49 am, JUSTIN GERRY wrote:
> I tried your suggestions below and yes, I finally have two websites
> working on the same box. Simplifying things does indeed work.
>
> Is there a way to, by default drop everything on the output chain, but
> insert a rule to allow only http requests that were initialed by a
> client to either website?
>
> Or if my input rules are sufficient, do I really need to do anything
> on the output chain other than let everthing out?
>
> Thanks,
> Justin
If you trust that nothing on the box is or ever will connect that you
don't want to, then output chain can just have an ACCEPT policy. If you
want to lock down to make it harder for a trojan or such to communicate
back from the box, you can set a DROP policy, then:
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
will let traffic back out in response to client requests, but not let the
box initiate any connections. If this tighter firewall still allows the
needed connections, why open up any further? I'd suggest you might want
to log dropped output traffic, though, to see what DOES try to get out.
Depending on your usage and plans, you might want to open a few
outbounds, like traceroute, ping, CVS, http, or ftp access FROM the box
if you want to use these services when logged into the box, for updating
software etc. Of course you can just allow those connections when
needed, and the rest of the time go with DROP policy and the EST/REL
rule above.
j
next prev parent reply other threads:[~2003-01-02 15:21 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-02 14:49 Trying to setup two ethernet cards with two websites JUSTIN GERRY
2003-01-02 15:21 ` Joel Newkirk [this message]
2003-01-03 12:23 ` Roy Sigurd Karlsbakk
2003-01-03 16:25 ` Joel Newkirk
-- strict thread matches above, loose matches on Subject: below --
2003-01-02 20:25 JUSTIN GERRY
2003-01-02 20:36 ` Athanasius
2003-01-02 21:40 ` Rob Sterenborg
2003-01-03 12:23 ` Roy Sigurd Karlsbakk
2002-12-31 16:29 JUSTIN GERRY
2002-12-31 18:49 ` Roy Sigurd Karlsbakk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301021021.07838.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=JGERRY@butchers.com \
--cc=netfilter@lists.netfilter.org \
--cc=roy@karlsbakk.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox