iptables
Chiu, PCM (Peter)
P.C.M.Chiu at rl.ac.uk
Fri Sep 15 14:14:31 UTC 2006
Patrick,
>I've added my DNS & GW, and I can connect from anywhere within the
allowed range, I also can get out to the Net, but...
>This setup prevents any returning packet from the Net to get in...
I thought that is precisely the way you want:
"I need some help with iptables. I'm trying to block every access to
one
RHEL4 box (x.y.z.218), except from 9 IPs (x.y.z.211-219).
Every port from the allowed range should reach x.y.z.218"
ie. restrict access only to your 9 machines and no one else.
If there is another (internal/external) host/network you need to access,
just add that to the accept list.
This way, you have precise control where users can get in from and get
out.
Even if hackers manage to break in, they cannot do a general probe to
other machines.
Peter
-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Patrick Derwael
Sent: 15 September 2006 14:57
To: redhat-list at redhat.com
Subject: RE: iptables
Peter,
Thank you for the hint (/32)
I've added my DNS & GW, and I can connect from anywhere within the
allowed range, I also can get out to the Net, but...
This setup prevents any returning packet from the Net to get in...
I presume this is related to the connection state, but I don't have a
clue about how to set this up properly.
My script is the following :
# Start from a clean situation
iptables -F
# Authorised range
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.211/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.212/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.213/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.214/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.215/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.216/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.217/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.218/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.219/32 -j ACCEPT
# DNS1-DNS2
iptables -A INPUT -s 111.222.333.131/32 -j ACCEPT
iptables -A INPUT -s 111.222.333.141/32 -j ACCEPT
# Gateway
iptables -A INPUT -s 111.222.333.254/32 -j ACCEPT
# Drop all the rest
iptables -A INPUT -s ! 111.222.333.219/32 -j DROP
iptables -L #
On Fri, September 15, 2006 2:30 pm, Chiu, PCM \(Peter\) said:
> I would suggest
>
> iptables -F
> iptables -A INPUT -s x.y.z.211/32 -j ACCEPT iptables -A INPUT -s
> x.y.z.212/32 -j ACCEPT ....
> iptables -A INPUT -s ! x.y.z.219/32 -j DROP
>
> You may also need to include your own default router and dns server to
> the accept list, otherwise you won't get out.
>
> Peter
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list