Firewalls the policy on the INPUT chain to DROP is: # iptables -P INPUT DROP As soon as we type that in, all incoming network packets are dropped, so before we do so, we’d better make sure that we’re logged in to the machine on the console. If not, then we’ll lose our connection to the machine and won’t be able to get it back! Note We could also have used REJECT instead of DROP as the policy. This would result in a message being sent back to the sender of a blocked packet informing them that the port is not reachable. This is polite, and could prevent a hapless user from continually retrying a connection attempt that will never work. However, it also confirms our presence to a would-be hacker. The policy of DROP silently discards the incoming packet, so our would-be hacker won’t even know there’s anything listening at our IP address. Of course, this is only valid if we never respond to any requests - once you’ve responded to one, you’ve given the game away. Now, we need to allow machines with IP addresses on the 192.168.10/24 network access to the Web server. This is listening on TCP port 80. We’ll add a rule that says accept any packet arriving on interface eth1 from a machine in the 192.168.10/24 network that is destined for port 80. The syntax for this is: # iptables -A INPUT -p tcp -s 192.168.10/24 -i eth1 –dport 80 -j ACCEPT Here: -A INPUT means append the rule to the INPUT chain -p tcp means match packets for the TCP protocol -s 192.168.10/24 means match packets with a source address in the 192.168.10/24 network - i eth1 means match packets on the eth1 interface - -dport 80 means match packets with a destination port of 80 - j ACCEPT means jump to the ACCEPT target (that is, allow the packet through) Note We don’t have to specify the network interface, but doing so would prevent someone spoofing an IP address on the wrong network from gaining access. Our second requirement is to allow ftp access to hosts in the 192.168.1/24 network attached to eth0, except 192.168.1.57. We’ll have to do this as a pair of rules; the first is a specific rule to block ftp access from 192.168.1.57 and the second is a more general rule that allows the others in. Since packets are passed to rules in order, we want to place our more restrictive rules first to ensure that they match. So, our two new rules are created with: # iptables -A INPUT -p tcp -s 192.168.1.57 –dport 20:21 -j DROP # iptables -A INPUT -p tcp -s 192.168.1/24 -i eth0 –dport 20:21 -j ACCEPT If we view our tables with the following command, we’ll see our rules… eventually: # iptables -L -v If DNS is configured on our machine, we’ll find that all the DNS queries time out because we’ve blocked all the DNS traffic! So, we need to add some more rules to allow important network traffic through: # iptables -A INPUT -p all -s nameserver –dport domain -j ACCEPT 430
Note: If you are looking for good and quality webspace to host and run your java application check professional java hosting services