[Zope] IPTables and Zope

Rechenberg, Andrew ARechenberg at shermanfinancialgroup.com
Thu Oct 2 11:06:55 EDT 2003 

Instead of making the default policy DROP, why not keeping the default
policy as ACCEPT and explicitly drop all traffic after you allow dport
80 and 8080?

Something like:

# Create your own chain for dropping and logging
#
iptables -N DROP_AND_LOG
iptables -A DROP_AND_LOG -j LOG --log-level info --log-prefix
"FW_UNATH:  "
iptables -A DROP_AND_LOG -j DROP
 

iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 8080 -j ACCEPT
iptables -A INPUT -i $YOUR_ETH_INT -j DROP_AND_LOG

where 

YOUR_IP = your IP address
YOUR_ETH_INT = the interface on which 80 and 8080 are listening (e.g.
eth0)

Let me know if this works for you,
Andy.



On Wed, 2003-10-01 at 22:17, Kevin Carlson wrote:
> Dieter Maurer wrote:
> 
> >Kevin Carlson wrote at 2003-9-30 23:25 -0400:
> >  
> >
> >> ... The iptables rules I set up are as follows:
> > > 
> > > iptables -P INPUT DROP
> > > iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> > > iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
> > > 
> >
> >Can you access Apache on port 80?
> >
> >If so, check Apache proxying to Zope.
> >I prefer Apache "RewriteRules" and they can be logged.
> >
> >
> >  
> >
> Yes, I can access Apache on port 80.  I am using "RewriteRules" and have 
> been looking at the logs and don't see anything odd.  I just can't 
> figure out why the iptables rules don't allow me to access sites that 
> should only need port 80 to work. If I remove the first rule above, all 
> works fine which tends to make me think that input through some other 
> port is necessary.  Makes no sense to me since I should only need port 
> 80.  Anyone out there using IPTables in front of an Apache/Zope 
> configuration?
> 
> Kevin
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
-- 

Regards,
Andrew Rechenberg
Infrastructure Team, Sherman Financial Group
513.707.3809

More information about the Zope mailing list