[ale] IP table question

[Terry Bailey]

I apologize.  I realized that it was a stupid question immediately after I 
sent it, but it was too late.





At 11:36 AM 9/12/2006, you wrote:
>Terry Bailey wrote:
>
> >
> > The  following line on a web server with IP of 192.168.1.50 allows my
> > computer with IP of 192.168.1.100 to access the web site of the
> > server.  But it also allows access via https from my computer.  I thought
> > https used another port.  Could someone explain this?
> >
> > iptables -I INPUT -p tcp --dport 80 -s ! 192.168.1.100 -j DROP
>
>In fact, this rule *prohibits* HTTP access from any device whose
>address is NOT ...100.  It says nothing whatever about any
>other port or protocol.
>
>There must be some other rule that is allowing in https traffic.
>As usual, it's basically impossible to tell what's going on
>without seeing the whole ruleset. Probably you have a rule
>or policy somewhere that says, "What the hell, let any old
>packet in!", and the rule quoted above is an attempt to plug
>an obvious hole. The problem with that is, the box is already
>swiss cheese --  you're never going to be able to plug every
>hole. That's why you should start your ruleset with:
>
>    iptables -P INPUT DROP
>
>and then add rules to specifically *allow* the stuff you want
>to let in, eg:
>
>    iptables -A INPUT -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
>    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>The other chains (FORWARD, OUTPUT) should be treated similarly.
>
>I have a reasonably well-commented set of rules; shall I post
>it?  I've no qualms about that; security by obscurity is, of
>course, an illusion; in fact I'd really love it if someone
>found flaws in my ruleset.  I think a good discussion of iptables
>rules would be a great thing to have in the list archive.
>
>-- JK
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale