Policy Accept + Allow Multiple IP's

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Policy Accept + Allow Multiple IP's
@ 2004-11-16  0:51 Rudi Starcevic
       [not found] ` <99fb058804111423054365bd85@mail.gmail.com>
  0 siblings, 1 reply; 4+ messages in thread
From: Rudi Starcevic @ 2004-11-16  0:51 UTC (permalink / raw)
  To: netfilter

Hi,

I have an Iptables firewall with a default policy of accept.

I want to allow only certain IP's ssh access.

So far I have this rule which allows 1 ip:

iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP

I'm not sure how to list more that 1 allowable IP.

This is a production box I've inherited so I'm hoping to work with I already
have but may need to look at changing the default policy to drop or 
something.

Please advise, many thanks.
Regards Rudi

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <99fb058804111423054365bd85@mail.gmail.com>]

* Re: Policy Accept + Allow Multiple IP's
       [not found] ` <99fb058804111423054365bd85@mail.gmail.com>
@ 2004-11-15  7:11   ` Paul Annesley
  2004-11-16  1:19     ` Rudi Starcevic
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Annesley @ 2004-11-15  7:11 UTC (permalink / raw)
  To: netfilter

---------- Forwarded message ----------
From: Paul Annesley <paul.annesley@gmail.com>
Date: Mon, 15 Nov 2004 18:05:17 +1100
Subject: Re: Policy Accept + Allow Multiple IP's
To: Rudi Starcevic <tech@wildcash.com>


On Mon, 15 Nov 2004 16:51:57 -0800, Rudi Starcevic <tech@wildcash.com> wrote:


> Hi,
>
> I have an Iptables firewall with a default policy of accept.
>
> I want to allow only certain IP's ssh access.
>
> So far I have this rule which allows 1 ip:
>
> iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP
>
> I'm not sure how to list more that 1 allowable IP.
>
> This is a production box I've inherited so I'm hoping to work with I already
> have but may need to look at changing the default policy to drop or
> something.

Perhaps you should look at making the policy DROP and allowing
specific traffic..
However what you're after can be done with two rules.. something like;

iptables -A INPUT -p tcp --dport 22 -s x.x.x.x -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

>
> Please advise, many thanks.
> Regards Rudi
>
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Policy Accept + Allow Multiple IP's
  2004-11-15  7:11   ` Paul Annesley
@ 2004-11-16  1:19     ` Rudi Starcevic
  2004-11-15 12:07       ` John A. Sullivan III
  0 siblings, 1 reply; 4+ messages in thread
From: Rudi Starcevic @ 2004-11-16  1:19 UTC (permalink / raw)
  To: netfilter

Thanks Paul,

Was hoping for a simple solution and well please to know I can do it 
both ways.

Many thanks
Best regards Rudi

Paul Annesley wrote:

>---------- Forwarded message ----------
>From: Paul Annesley <paul.annesley@gmail.com>
>Date: Mon, 15 Nov 2004 18:05:17 +1100
>Subject: Re: Policy Accept + Allow Multiple IP's
>To: Rudi Starcevic <tech@wildcash.com>
>
>
>On Mon, 15 Nov 2004 16:51:57 -0800, Rudi Starcevic <tech@wildcash.com> wrote:
>
>
>  
>
>>Hi,
>>
>>I have an Iptables firewall with a default policy of accept.
>>
>>I want to allow only certain IP's ssh access.
>>
>>So far I have this rule which allows 1 ip:
>>
>>iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP
>>
>>I'm not sure how to list more that 1 allowable IP.
>>
>>This is a production box I've inherited so I'm hoping to work with I already
>>have but may need to look at changing the default policy to drop or
>>something.
>>    
>>
>
>Perhaps you should look at making the policy DROP and allowing
>specific traffic..
>However what you're after can be done with two rules.. something like;
>
>iptables -A INPUT -p tcp --dport 22 -s x.x.x.x -j ACCEPT
>iptables -A INPUT -p tcp --dport 22 -j DROP
>
>  
>
>>Please advise, many thanks.
>>Regards Rudi
>>
>>
>>    
>>
>
>
>
>  
>



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Policy Accept + Allow Multiple IP's
  2004-11-16  1:19     ` Rudi Starcevic
@ 2004-11-15 12:07       ` John A. Sullivan III
  0 siblings, 0 replies; 4+ messages in thread
From: John A. Sullivan III @ 2004-11-15 12:07 UTC (permalink / raw)
  To: Rudi Starcevic; +Cc: Netfilter users list

As Paul mentioned, I would strongly recommend a default drop policy. 
However, should you need the default accept, you can streamline the
packet processing by using a user defined chain.  This will allow any
long list of allowed SSH IPs to be separated from normal packet
processing:

iptables -N sshchain
iptables -A FORWARD -p 6 --dport 22 -j sshchain
iptables -A sshchain -s x.x.x.x -j ACCEPT
iptables -A sshchain -s y.y.y.y -j ACCEPT
iptables -A sshchain -s z.z.z.z -j ACCEPT
iptables -A sshchain -j DROP

Hope this helps - John

On Mon, 2004-11-15 at 20:19, Rudi Starcevic wrote:
> Thanks Paul,
> 
> Was hoping for a simple solution and well please to know I can do it 
> both ways.
> 
> Many thanks
> Best regards Rudi
> 
> Paul Annesley wrote:
> 
> >---------- Forwarded message ----------
> >From: Paul Annesley <paul.annesley@gmail.com>
> >Date: Mon, 15 Nov 2004 18:05:17 +1100
> >Subject: Re: Policy Accept + Allow Multiple IP's
> >To: Rudi Starcevic <tech@wildcash.com>
> >
> >
> >On Mon, 15 Nov 2004 16:51:57 -0800, Rudi Starcevic <tech@wildcash.com> wrote:
> >
> >
> >  
> >
> >>Hi,
> >>
> >>I have an Iptables firewall with a default policy of accept.
> >>
> >>I want to allow only certain IP's ssh access.
> >>
> >>So far I have this rule which allows 1 ip:
> >>
> >>iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP
> >>
> >>I'm not sure how to list more that 1 allowable IP.
> >>
> >>This is a production box I've inherited so I'm hoping to work with I already
> >>have but may need to look at changing the default policy to drop or
> >>something.
> >>    
> >>
> >
> >Perhaps you should look at making the policy DROP and allowing
> >specific traffic..
> >However what you're after can be done with two rules.. something like;
> >
> >iptables -A INPUT -p tcp --dport 22 -s x.x.x.x -j ACCEPT
> >iptables -A INPUT -p tcp --dport 22 -j DROP
> >
> >  
> >
> >>Please advise, many thanks.
> >>Regards Rudi
> >>
> >>
> >>    
> >>
> >
> >
> >
> >  
> >
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-11-16  1:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-16  0:51 Policy Accept + Allow Multiple IP's Rudi Starcevic
     [not found] ` <99fb058804111423054365bd85@mail.gmail.com>
2004-11-15  7:11   ` Paul Annesley
2004-11-16  1:19     ` Rudi Starcevic
2004-11-15 12:07       ` John A. Sullivan III

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox