Re: allowing connections from a specific host on a specific port with ipchains ?

["Rodolfo J. Paiz" <rpaiz indahaus com>]

At 2/1/2002 05:17 PM +0000, you wrote:
> How do you add an ipchains rule to accept connections from
> a given host (eg. www.xxx.yyy.zzz) on a specific port (eg. 3333) ?
>
> # /sbin/ipchains -I input -p tcp -s www.xxx.yyy.zzz 3333 -j ACCEPT

Almost right.

# ipchains -A input -p tcp -s www.xxx.yyy.zzz 1024:65535
           -d $MY_IP_ADDRESS 3333 -j ACCEPT
# ipchains -A output -p tcp ! -y -s $MY_IP_ADDRESS 3333
           -d www.xxx.yyy.zzz 1024:65535 -j ACCEPT

The differences:

1. Specifying "1024:65535" after his IP address allows connections only 
from unprivileged ports, which is the way it should be happening. You may 
eliminate this if you like to allow connections from any port on his machine.

2. You specify the 3333 after *your* IP address, not after his. And you are 
specific about your IP address (not just "--destination-port 3333" so that 
your firewall doesn't even allow packets destined for other servers.

3. You need an output rule as well. Otherwise his connection request will 
get through but nothing will get back out.

4. In the output rule, specifying "! -y" means "but NOT any SYN packets". 
SYN packets are those used to request connections. So the inbound rule will 
allow any traffic (including connection requests) and the outbound rule 
will allow any traffic that does not initiate a new connection. So he can 
connect to you but not you to him. (And he cannot get another program on 
your machine to connect to his box either, which is more relevant.)


--
Rodolfo J. Paiz
rpaiz indahaus com