The initial setup would be something along the lines of this, substituting the service you want to control for 'fubar':
iptables --new-chain fubar-chain
iptables --append fubar-chain --jump DROP
iptables --insert RH-Firewall-1-INPUT --in-interface ! lo \
--protocol tcp --dport fubar --jump fubar-chain
This sets up the initial state so that any requests for service fubar get dropped. You could add the following to
/etc/sysconfig/iptables (just before the line saying "COMMIT") to accomplish the same thing when iptables gets started:
--BEGIN :fubar-chain - [0:0] -A fubar-chain -j DROP -I RH-Firewall-1-INPUT -i ! lo -p tcp --dport fubar -j fubar-chain --ENDNow you need to flush the chain and put the correct rules in to allow them to work, using a shell script something like this to make it go:
--BEGIN
#!/bin/bash
iptables --flush fubar-chain
iptables --append fubar-chain --jump DROP
for ipaddr in $( host chatenabled.google.com | \
awk '( / has address / ) { print $NF }' )
do
iptables --insert fubar-chain --source ${ipaddr} \
--protocol tcp --dport fubar --jump ACCEPT
done
--END
There might be some disruption of service while this is running, so a little tweaking might be necessary to NOT remove the rules
unless the DNS translation has actually changed. Set this script up to run as a cron job with whatever frequency makes sense.
This is pretty generic and will have to be adapted to your specific needs, altering the service names and protocols as appropriate. Since this was basically from memory, make DARNED sure you make backup copies of any files you modify before trying this out!
Your mileage may vary! -- Jay Leafey - Memphis, TN jay.leafey@xxxxxxxxxxxx
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
