Policy Accept + Allow Multiple IP's

All of lore.kernel.org
 help / color / mirror / Atom feed

* Policy Accept + Allow Multiple IP's
@ 2004-11-16  0:51 Rudi Starcevic
       [not found] ` <99fb058804111423054365bd85@mail.gmail.com>
  0 siblings, 1 reply; 4+ messages in thread
From: Rudi Starcevic @ 2004-11-16  0:51 UTC (permalink / raw)
  To: netfilter

Hi,

I have an Iptables firewall with a default policy of accept.

I want to allow only certain IP's ssh access.

So far I have this rule which allows 1 ip:

iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP

I'm not sure how to list more that 1 allowable IP.

This is a production box I've inherited so I'm hoping to work with I already
have but may need to look at changing the default policy to drop or 
something.

Please advise, many thanks.
Regards Rudi

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <99fb058804111423054365bd85@mail.gmail.com>]

* Re: Policy Accept + Allow Multiple IP's
       [not found] ` <99fb058804111423054365bd85@mail.gmail.com>
@ 2004-11-15  7:11   ` Paul Annesley
  2004-11-16  1:19     ` Rudi Starcevic
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Annesley @ 2004-11-15  7:11 UTC (permalink / raw)
  To: netfilter

---------- Forwarded message ----------
From: Paul Annesley <paul.annesley@gmail.com>
Date: Mon, 15 Nov 2004 18:05:17 +1100
Subject: Re: Policy Accept + Allow Multiple IP's
To: Rudi Starcevic <tech@wildcash.com>


On Mon, 15 Nov 2004 16:51:57 -0800, Rudi Starcevic <tech@wildcash.com> wrote:


> Hi,
>
> I have an Iptables firewall with a default policy of accept.
>
> I want to allow only certain IP's ssh access.
>
> So far I have this rule which allows 1 ip:
>
> iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP
>
> I'm not sure how to list more that 1 allowable IP.
>
> This is a production box I've inherited so I'm hoping to work with I already
> have but may need to look at changing the default policy to drop or
> something.

Perhaps you should look at making the policy DROP and allowing
specific traffic..
However what you're after can be done with two rules.. something like;

iptables -A INPUT -p tcp --dport 22 -s x.x.x.x -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

>
> Please advise, many thanks.
> Regards Rudi
>
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Policy Accept + Allow Multiple IP's
  2004-11-15  7:11   ` Paul Annesley
@ 2004-11-16  1:19     ` Rudi Starcevic
  2004-11-15 12:07       ` John A. Sullivan III
  0 siblings, 1 reply; 4+ messages in thread
From: Rudi Starcevic @ 2004-11-16  1:19 UTC (permalink / raw)
  To: netfilter

Thanks Paul,

Was hoping for a simple solution and well please to know I can do it 
both ways.

Many thanks
Best regards Rudi

Paul Annesley wrote:

>---------- Forwarded message ----------
>From: Paul Annesley <paul.annesley@gmail.com>
>Date: Mon, 15 Nov 2004 18:05:17 +1100
>Subject: Re: Policy Accept + Allow Multiple IP's
>To: Rudi Starcevic <tech@wildcash.com>
>
>
>On Mon, 15 Nov 2004 16:51:57 -0800, Rudi Starcevic <tech@wildcash.com> wrote:
>
>
>  
>
>>Hi,
>>
>>I have an Iptables firewall with a default policy of accept.
>>
>>I want to allow only certain IP's ssh access.
>>
>>So far I have this rule which allows 1 ip:
>>
>>iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP
>>
>>I'm not sure how to list more that 1 allowable IP.
>>
>>This is a production box I've inherited so I'm hoping to work with I already
>>have but may need to look at changing the default policy to drop or
>>something.
>>    
>>
>
>Perhaps you should look at making the policy DROP and allowing
>specific traffic..
>However what you're after can be done with two rules.. something like;
>
>iptables -A INPUT -p tcp --dport 22 -s x.x.x.x -j ACCEPT
>iptables -A INPUT -p tcp --dport 22 -j DROP
>
>  
>
>>Please advise, many thanks.
>>Regards Rudi
>>
>>
>>    
>>
>
>
>
>  
>



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Policy Accept + Allow Multiple IP's
  2004-11-16  1:19     ` Rudi Starcevic
@ 2004-11-15 12:07       ` John A. Sullivan III
  0 siblings, 0 replies; 4+ messages in thread
From: John A. Sullivan III @ 2004-11-15 12:07 UTC (permalink / raw)
  To: Rudi Starcevic; +Cc: Netfilter users list

As Paul mentioned, I would strongly recommend a default drop policy. 
However, should you need the default accept, you can streamline the
packet processing by using a user defined chain.  This will allow any
long list of allowed SSH IPs to be separated from normal packet
processing:

iptables -N sshchain
iptables -A FORWARD -p 6 --dport 22 -j sshchain
iptables -A sshchain -s x.x.x.x -j ACCEPT
iptables -A sshchain -s y.y.y.y -j ACCEPT
iptables -A sshchain -s z.z.z.z -j ACCEPT
iptables -A sshchain -j DROP

Hope this helps - John

On Mon, 2004-11-15 at 20:19, Rudi Starcevic wrote:
> Thanks Paul,
> 
> Was hoping for a simple solution and well please to know I can do it 
> both ways.
> 
> Many thanks
> Best regards Rudi
> 
> Paul Annesley wrote:
> 
> >---------- Forwarded message ----------
> >From: Paul Annesley <paul.annesley@gmail.com>
> >Date: Mon, 15 Nov 2004 18:05:17 +1100
> >Subject: Re: Policy Accept + Allow Multiple IP's
> >To: Rudi Starcevic <tech@wildcash.com>
> >
> >
> >On Mon, 15 Nov 2004 16:51:57 -0800, Rudi Starcevic <tech@wildcash.com> wrote:
> >
> >
> >  
> >
> >>Hi,
> >>
> >>I have an Iptables firewall with a default policy of accept.
> >>
> >>I want to allow only certain IP's ssh access.
> >>
> >>So far I have this rule which allows 1 ip:
> >>
> >>iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP
> >>
> >>I'm not sure how to list more that 1 allowable IP.
> >>
> >>This is a production box I've inherited so I'm hoping to work with I already
> >>have but may need to look at changing the default policy to drop or
> >>something.
> >>    
> >>
> >
> >Perhaps you should look at making the policy DROP and allowing
> >specific traffic..
> >However what you're after can be done with two rules.. something like;
> >
> >iptables -A INPUT -p tcp --dport 22 -s x.x.x.x -j ACCEPT
> >iptables -A INPUT -p tcp --dport 22 -j DROP
> >
> >  
> >
> >>Please advise, many thanks.
> >>Regards Rudi
> >>
> >>
> >>    
> >>
> >
> >
> >
> >  
> >
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-11-16  1:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-16  0:51 Policy Accept + Allow Multiple IP's Rudi Starcevic
     [not found] ` <99fb058804111423054365bd85@mail.gmail.com>
2004-11-15  7:11   ` Paul Annesley
2004-11-16  1:19     ` Rudi Starcevic
2004-11-15 12:07       ` John A. Sullivan III

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.