Re: ipchains rule

[Rick Stevens <rstevens vitalstream com>]

David Barr wrote:
> On Wednesday, Oct 29, 2003, at 13:15 US/Pacific, djo wrote:
>
> > hi - this should be simple, but the learning curve for ipchains is 
> > akin to a
> > brick wall.
> >
> > I have a RH9 server. The security level was set to "high" during the 
> > install
> > process. It only has one LAN card (eth0).
> >
> > I now want to allow specific IP addresses access to samba (ports 
> > 137:139?).
> >
> > Can anyone help me out?
>
> Well, first you want to look at iptables, not ipchains. RH switched with 
> version 8.
>
> A sample command for that would be something like:
>
> iptables -A INPUT -p tcp -m tcp --destination-port 137:139 -j ACCEPT

"-m tcp" is superfluous.  The "-p tcp" will pull in the TCP module.

> plus a switch for identifying a specific ip address, which I don't know 
> off the top of my head.

iptables -A INPUT -p tcp -s 10.24.1.0/24 --dport 137:139 -j ACCEPT

would allow any machine with addresss from 10.24.1.1 through 10.24.1.254
in.  For three individual machines:

iptables -A INPUT -p tcp -s 10.24.1.3 --dport 137:139 -j ACCEPT
iptables -A INPUT -p tcp -s 10.24.1.4 --dport 137:139 -j ACCEPT
iptables -A INPUT -p tcp -s 10.24.1.5 --dport 137:139 -j ACCEPT

would only allow 10.24.1.3, 10.24.1.4 and 10.24.1.5 in.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-                   To err is human, to moo bovine.                  -
----------------------------------------------------------------------