Re: services for predetermined IP addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- Jason Opperisano <opie@xxxxxxxxxxx> wrote:

> On Fri, Oct 15, 2004 at 12:41:15PM -0700, kate
> wrote:
> > Hello,
> > 
> > As I see increased scans on my IP address, I want
> to
> > limit access to only predetermined IP address
> ranges
> > for certain services - Is the following the
> correct
> > way to do this?
> > 
> > <snip>
> > # (Part A) Rules for incoming packets from
> Internet
> > # Packets for established connections
> > iptables -A INPUT -p ALL -d $ETH0_IP -m state
> --state
> > ESTABLISHED,RELATED -j ACCEPT
> 
> stylistic note:  the "-p ALL" is kinda
> unnecessary...
> 
> > # (Part B) TCP Rules
> > iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
> > --destination-port 21 -j okay # userA
> > iptables -A INPUT -p TCP -i eth0 -s 123.45.0/16
> > --destination-port 22 -j okay  #users A - Z
> 
> i think you're missing a "0" there:  123.45.0/16
> should really be
> 123.45.0.0/16.
> 
> > </snip>
> > 
> > So I understand -
> > ONLY User A can ftp, and all those in 123.45. can
> ssh
> > , BUT no-one else on the Internet can request
> services
> > ?
> 
> yes--as along as somewhere further down the chain
> you hit a drop-all
> rule of some sort...

Yes, I see that now...
# (Part B) TCP Rules
iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1
--destination-port 21 -j okay # userA
iptables -A INPUT -p TCP -i eth0 -s 123.45.0.0/16
--destination-port 22 -j okay  #users A - Z

so the drop-all would be..?

iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP

or did I just invent my own thing here?
tia
Kate


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux