From: Scott Melnyk <scott@sbc.su.se>
To: netfilter@lists.netfilter.org
Subject: newbie question
Date: 24 Mar 2003 16:54:02 +0100 [thread overview]
Message-ID: <1048521242.10333.55.camel@razor> (raw)
Hello, I hope this is not to simple to post. I have not quite got
IPTABLEs use down.
I am looking at setting up local firewalls on a cluster of machines
(almost 100 linux boxes running RH 7.3 and 8.0). The login nodes for
the cluster have extensive hardware based firewalling rules.
On the rest of the cluster I would like to set IPTABLEs to accept
everything within the subnet and drop the anything from and outside
address.
My thought for setting the rules on each machine is by pushing out and
running a bash script.
Is it possible to simply set up a firewall with something as simple as:
#!/bin/bash
#
service iptables stop
iptables -F
iptables -A INPUT -m limit -j LOG
iptables -A OUTPUT -m limit -j LOG
iptables -A INPUT -s 130.xxx.xxx.128/25 ACCEPT
#rule here to drop all non 130.xxx.xxx.128/25
iptables -P FORWARD DROP
iptables -P INPUT DROP
service iptables save
We have a subnet of 130.xxx.xxx.128/255.255.255.128
How can I define a mandatory drop of everything not in
130.xxx.xxx.128/255.255.255.128?
Finally what risks am I taking by doing this? Other than if someone
hacks into one of the login nodes, I realize this would then give them
access to the rest of the cluster.
All thoughts, advice and suggestions very welcome. Thank you in
advance.
Sincerely,
Scott Melnyk
next reply other threads:[~2003-03-24 15:54 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-24 15:54 Scott Melnyk [this message]
2003-03-24 16:27 ` newbie question Joel Newkirk
-- strict thread matches above, loose matches on Subject: below --
2009-07-30 18:03 Gergely Buday
2004-06-08 4:16 Newbie Question mafioso1823
2004-06-08 11:09 ` John A. Sullivan III
2004-04-08 11:57 newbie question M. Ahmad Ijaz
2004-04-08 12:02 ` Antony Stone
2004-04-08 12:32 ` M. Ahmad Ijaz
2004-04-08 12:41 ` Antony Stone
2004-04-08 12:43 ` ro0ot
2004-04-08 12:32 ` Jeffrey Laramie
2004-04-08 12:47 ` Antony Stone
2004-04-08 12:09 ` Frank Gruellich
2004-04-09 4:33 ` M. Ahmad Ijaz
2004-04-08 16:26 ` Alexis
[not found] <385FE68A-FB2E-11D7-B96A-000393B2CBCE@apple.com>
2003-10-10 14:43 ` Newbie question Arvanitis Kostas
2003-03-26 17:37 Newbie Question Carlos Cajina
2003-03-26 18:53 ` Joel Newkirk
2003-02-24 16:23 Jeffrey Corbit
2003-02-24 16:50 ` Aldo S. Lagana
2003-02-16 7:04 Newbie question Shankar; Hari
2003-02-16 7:57 ` Joel Newkirk
2003-02-16 22:50 ` Shankar; Hari
[not found] <20030120105301.22841.47459.Mailman@kashyyyk>
2003-01-20 15:58 ` newbie question regina
2003-01-20 19:02 ` Maciej Soltysiak
2002-12-08 23:37 Newbie question Glen Spidal
2002-12-10 13:09 ` Bart
2002-11-03 18:51 CVS Respository failures Noah
2002-11-04 9:15 ` Newbie Question Louie
2002-10-22 2:47 William L. Childers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1048521242.10333.55.camel@razor \
--to=scott@sbc.su.se \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox