iptables

Chiu, PCM (Peter) P.C.M.Chiu at rl.ac.uk
Fri Sep 15 14:14:31 UTC 2006 

Patrick,

>I've added my DNS & GW, and I can connect from anywhere within the
allowed range, I also can get out to the Net, but...

>This setup prevents any returning packet from the Net to get in... 

I thought that is precisely the way you want:
   "I need some help with iptables. I'm trying to block every access to
one
   RHEL4 box (x.y.z.218), except from 9 IPs (x.y.z.211-219).
   Every port from the allowed range should reach x.y.z.218"

ie. restrict access only to your 9 machines and no one else.

If there is another (internal/external) host/network you need to access,
just add that to the accept list.

This way, you have precise control where users can get in from and get
out.
Even if hackers manage to break in, they cannot do a general probe to
other machines.

Peter

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Patrick Derwael
Sent: 15 September 2006 14:57
To: redhat-list at redhat.com
Subject: RE: iptables

Peter,
Thank you for the hint (/32)
I've added my DNS & GW, and I can connect from anywhere within the
allowed range, I also can get out to the Net, but...

This setup prevents any returning packet from the Net to get in...

I presume this is related to the connection state, but I don't have a
clue about how to set this up properly.

My script is the following :

# Start from a clean situation
iptables -F
# Authorised range
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.211/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.212/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.213/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.214/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.215/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.216/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.217/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.218/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.219/32 -j ACCEPT 

# DNS1-DNS2 

iptables -A INPUT -s 111.222.333.131/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.141/32 -j ACCEPT 

# Gateway 

iptables -A INPUT -s 111.222.333.254/32 -j ACCEPT 

# Drop all the rest 

iptables -A INPUT -s ! 111.222.333.219/32 -j DROP 

iptables -L #




On Fri, September 15, 2006 2:30 pm, Chiu, PCM \(Peter\) said:
> I would suggest
>
> iptables -F
> iptables -A INPUT -s x.y.z.211/32 -j ACCEPT iptables -A INPUT -s 
> x.y.z.212/32 -j ACCEPT ....
> iptables -A INPUT -s ! x.y.z.219/32 -j DROP
>
> You may also need to include your own default router and dns server to

> the accept list, otherwise you won't get out.
>
> Peter


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list