Apache vulnerability?

Alex mysqlstudent at gmail.com
Wed Nov 2 00:42:33 UTC 2011


> Thanks. If you bear with a couple "hopefully-not-too-naive" questions ...
> I seems to me that you are saying the actions you wish to stop are from
> "s <offending_ip>" using "-p tcp" ... why the need to specify the
> destination of "-d <my_ip>" (since if this iptables rule is called, it
> must have reached me regardless of my_ip) and "--dport 80" (would there
> be any destination port that I would allow such action from this
> offending_ip to occur on?).

Yes, that's correct. You don't need to include the destination if you
only have one IP address on that host.

> I am seeing in the default F14 iptables:
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> This looks to me like tcp on dport 22 is allowed and there I would think
> that the minimal change would be to insert a rule before this which says
> "anything from offending_ip via tcp should be rejected".
> I'm still trying to get comfortable with iptables and, even though there
> is alot of stuff out there, I'm still working to get the necessary
> critical mass of understanding so it all falls into place. This thread
> looked like a good chance to see if I'm closer to understanding.

Yes, that's a good approach too. If you are editing the existing
iptables config script from /etc/sysconfig/iptables, then that's
exactly what you would do. Something like this should work:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP -s
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

the "<offending_ip/range>" might be something like to block
the entire 256 addresses on that network.


More information about the users mailing list