Re: iptables and virtual hosts problem
- From: Andrew Sackville-West <andrew@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 30 Oct 2007 09:16:35 -0700
On Tue, Oct 30, 2007 at 05:09:50PM +0100, Erik Persson wrote:
Hello!
I have a server which is running 2 different virtual hosts (vserver), let's
call them S for the server, A and B for the virtual hosts A and B.
S, A and B have different ip-addresses (say s.s.s.s, a.a.a.a and b.b.b.b).
Since the server isn't really forwarding anything I haven't used the
FORWARD chain for anything, and I use INPUT and OUTPUT to regulate the flow
to the different servers, for example:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -d a.a.a.a -p tcp --dport 80 -j ACCEPT
on the server
seems to do what I want. In the example above letting A and only A answer
requests on port 80.
However, when I try to regulate the flow of traffic between the different
"machines" (S, A, and B) strange things happen.
For example:
iptables -I OUTPUT -d a.a.a.a -p tcp --dport 25 -j ACCEPT
doesn't only allow any of the "machines" to try to contact port 25 on A,
but it *also allows A to answer* !!!
if by answer, you mean respond to the same request, then that is
appropriate, IIUC. The rules relate to *new* requests, not responses
to existing ones. That's why when you block port 80 inbound, you can
still recieve packets -- they match up to outbound requests your
browser has made.
I think that's right.
A
Attachment:
signature.asc
Description: Digital signature
- References:
- iptables and virtual hosts problem
- From: Erik Persson
- iptables and virtual hosts problem
- Prev by Date: iptables and virtual hosts problem
- Next by Date: Re: Apt-Get or Aptitude
- Previous by thread: iptables and virtual hosts problem
- Index(es):
Relevant Pages
|
|
