From: Martijn Lievaart <m@rtij.nl>
To: Eial Czerwacki <eial@cs.bgu.ac.il>
Cc: mouss <mouss@netoyen.net>, netfilter@vger.kernel.org
Subject: Re: iptables block samba or not?
Date: Fri, 25 Jan 2008 20:02:26 +0100 [thread overview]
Message-ID: <479A3242.4060304@rtij.nl> (raw)
In-Reply-To: <200801251653.m0PGr8Qe010047@indigo.cs.bgu.ac.il>
Eial Czerwacki wrote:
> what I meant is that I want that ssh input will be accepted only from an ip that I've initiated the connection to.
> On Fri 25 Jan 18:13 2008 mouss wrote:
>
>> Eial Czerwacki wrote:
>>
>>> works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
>>>
>>>
>> that's what your "accept all previously established connections" does if
>> you don't add other INPUT rules.
>>
[ Please don't toppost ]
Yes, you need the recent module for this. Add the source of outgoing
connections to a recent table and accept on source address in that table.
Something like this (untested!):
# Don't let established packets trigger the recent match below....
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o $EXTERNAL_IF -m recent --set --name tcpout --rdest
-A INPUT -i $EXTERNAL_IF -m recent --rcheck --seconds 100 --name tcpout
--rsource -m tcp --dport 22 -j ACCEPT
HTH,
M4
next prev parent reply other threads:[~2008-01-25 19:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-21 22:33 iptables block samba or not? Eial Czerwacki
2008-01-22 1:52 ` Leonardo Rodrigues Magalhães
2008-01-23 22:00 ` Dzianis Kahanovich
2008-01-24 20:16 ` mouss
2008-01-24 20:17 ` Eial Czerwacki
2008-01-24 21:13 ` mouss
2008-01-24 21:37 ` Martijn Lievaart
2008-01-25 10:40 ` Eial Czerwacki
2008-01-25 11:49 ` mouss
2008-01-25 13:35 ` Eial Czerwacki
2008-01-25 13:42 ` mouss
2008-01-25 14:27 ` Eial Czerwacki
2008-01-25 15:15 ` mouss
2008-01-25 16:02 ` Eial Czerwacki
2008-01-25 16:13 ` mouss
2008-01-25 16:53 ` Eial Czerwacki
2008-01-25 19:02 ` Martijn Lievaart [this message]
2008-01-25 16:04 ` Steven Ayre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=479A3242.4060304@rtij.nl \
--to=m@rtij.nl \
--cc=eial@cs.bgu.ac.il \
--cc=mouss@netoyen.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.