From: Wakko Warner <wakko@animx.eu.org>
To: "plugthebox.net /dev/null" <devnull@plugthebox.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: RE: INPUT and PORTS
Date: Wed, 1 Nov 2006 12:40:30 -0500 [thread overview]
Message-ID: <20061101174030.GC25768@animx.eu.org> (raw)
In-Reply-To: <1162394816.17873.41.camel@localhost>
plugthebox.net /dev/null wrote:
> I want to thank you all for contributing.
>
> I'm currently setting up a firewall and a web interface for it. My
> strategy is to have:
>
> /sbin/iptables -P INPUT -j DROP
> /sbin/iptables -P FORWARD -j DROP
> /sbin/iptables -A FORWARD -d 10.2.2.115 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.115 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.115 -j ACCEPT
> /sbin/iptables -A FORWARD -d 10.2.2.116 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.116 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.116 -j ACCEPT
> /sbin/iptables -A FORWARD -d 10.2.2.117 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.117 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.117 -j ACCEPT
> etc...
> /sbin/iptables -A INPUT -j DROP
> /sbin/iptables -A FORWARD -j DROP
>
> Meaning, i want to accept the connections from these 3 IPs, and drop all
> the rest. Now i want to let those allowed IPs to only use 3 ports for
> the INPUT and more than 30 ports for FORWARDs (p2p and misc ports).
>
> I can't use -m multiport for each FORWARD, there are too many ports that
> 1 FORWARD line can run.
>
> I thought by allowing the ports BEFORE the IPs, that it would accept
> allow only the ports ACCEPTed to the IPs ACCEPTed, is that correct?
If I understand what you are wanting correctly, something I'm currently
doing may be what you want.
If you want to only allow specific IPs to connect to specific ports, you
might want to try this:
create 2 chains: ip and port (or whatever you want to name them.
iptables -A INPUT -j ip
iptables -A FORWARD -j ip
in ip:
iptables -A ip -j port -s 10.2.2.115
iptables -A ip -j port -d 10.2.2.115
...
in port:
iptables -A port -j ACCEPT -p tcp --dport 80
iptables -A port -j ACCEPT -p tcp --dport 22
...
Since you have the policy already to drop, there's probably no reason to add
DROP rules to INPUT and FORWARD.
If you want to allow any IPs, just ad them to the ip chain. If you want to
allow the current list of ips to access different ports, just ad that port
to the port chain.
--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???
next prev parent reply other threads:[~2006-11-01 17:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20061101145719.564.qmail@webmail91.rediffmail.com>
2006-11-01 15:26 ` RE: INPUT and PORTS plugthebox.net /dev/null
2006-11-01 17:40 ` Wakko Warner [this message]
2006-11-02 3:23 anisha.chandrasekaran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061101174030.GC25768@animx.eu.org \
--to=wakko@animx.eu.org \
--cc=devnull@plugthebox.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.