[Zope] IPTables and Zope
ARechenberg at shermanfinancialgroup.com
Thu Oct 2 11:06:55 EDT 2003
Instead of making the default policy DROP, why not keeping the default
policy as ACCEPT and explicitly drop all traffic after you allow dport
80 and 8080?
# Create your own chain for dropping and logging
iptables -N DROP_AND_LOG
iptables -A DROP_AND_LOG -j LOG --log-level info --log-prefix
iptables -A DROP_AND_LOG -j DROP
iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 8080 -j ACCEPT
iptables -A INPUT -i $YOUR_ETH_INT -j DROP_AND_LOG
YOUR_IP = your IP address
YOUR_ETH_INT = the interface on which 80 and 8080 are listening (e.g.
Let me know if this works for you,
On Wed, 2003-10-01 at 22:17, Kevin Carlson wrote:
> Dieter Maurer wrote:
> >Kevin Carlson wrote at 2003-9-30 23:25 -0400:
> >> ... The iptables rules I set up are as follows:
> > >
> > > iptables -P INPUT DROP
> > > iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> > > iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
> > >
> >Can you access Apache on port 80?
> >If so, check Apache proxying to Zope.
> >I prefer Apache "RewriteRules" and they can be logged.
> Yes, I can access Apache on port 80. I am using "RewriteRules" and have
> been looking at the logs and don't see anything odd. I just can't
> figure out why the iptables rules don't allow me to access sites that
> should only need port 80 to work. If I remove the first rule above, all
> works fine which tends to make me think that input through some other
> port is necessary. Makes no sense to me since I should only need port
> 80. Anyone out there using IPTables in front of an Apache/Zope
> Zope maillist - Zope at zope.org
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-dev )
Infrastructure Team, Sherman Financial Group
More information about the Zope