By default Apache webserver listen on port 80 (http) and port 443 (https i.e. secure http). Apache webserver uses the TCP protocol to transfer information/data between server and browser.
A) Allow incoming http/web traffic at port 80
SERVER_IP=”202.54.10.20”
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
B) Allow incoming https/secure web traffic at port 443
SERVER_IP=”202.54.10.20”
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
C) Allow outgoing http/web service traffic to port 80
SERVER_IP=”202.54.10.20”
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
D) Allow outgoing https/secure web service traffic to port 443
SERVER_IP=”202.54.10.20”
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: Nov/2/2006
{ 7 comments… read them below or add one }
grate site
How to configure Squid server with bandwidth limitation for particular network ips?
If you response with the configuration, then it will be great help me if not also, from this site i have got lots of information. Thanks. Its a greate knowledge protal.
In windows how to block https site like Gmail
Script to block incoming HTTP request from an IP say after 20 continue requests.
Thanks in advance
–kunal
Just to add one more thing IP blocking should be done for certain period of time say 5 hrs and after unblock that IP.
This would be much simple and better. There is no necessary to permit the oubound traffic to be opend and can be avoided.
# Allow incoming port 80 and 443 (http/s) traffic
/sbin/iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
…you all forgot to mention that conntrack has to be enabled as well. Otherwise only the first packet of the connection is let in, but the “real” data is still blocked… ;-)