simple iptables ruleset?
am 30.03.2007 14:08:12 von fiprojects.comFolks,
This is driving me up the wall... I've written a script which appears
to work on my lan - I can successfully accept/deny folk either by
their IP, network and port - however when I try it in a live
environment, it stops all traffic.
There are too many fences between me and the outside world (BigIP and
reverse proxies for example) so I don't know what might be happening
to the packets as they come in so I'm wondering if someone can help me
write up a ruleset to do the following:
1: Allow all traffic from a selection of ip subnets (for example,
allow 192.168.1.0 thru to 192.168.10.0). They should have full access
to all ports.
2. Allow access to port 22 (ssh) and 8001 (weblogic) using tcp/http
traffic from specific ip address (for example 192.168.168.168).
3. Deny everything else.
What is known: When traffic goes thru my BigIPs and proxies and other
fences between me and the outside world, their IP address is carried.
I've tested this via dialup internet GPRS connection using my laptop.
As soon as I switch off iptables, access to my web based app works -
as sooner I enable the firewall, access to my web app fails even
though I explicitly have a request to allow it by source ip and port.
One thing that has just crossed my mind - BigIP listens at port 80,
does a redirect from HTTP to HTTPS and then from there it goes through
some proxies before hitting my application server at port 8001. I
would therefore guess that my rules should apply to 8001 (since
iptables is on application server).
Is there anything I am omitting? I'm going to persist in learning more
about IP tables as it appears to be an art - but when I had my script
working on my laptop, and it tested fine on my lan, I would have
expected it to work.
Can anyone help? It would be greatly appreciated,
Thanks,
Randell D.