For the FORWARD rule you can specify -s source machine to allow only those machines which you want to allow. Regards, Dharmendra.T Linux Security Expert www.nsecure.net dharmu@nsecure.net On Saturday 30 November 2002 05:30, Federico Canton wrote: > Hi, is it possible to open a port in the firewall but limit access to > only a few hosts natted behind a remote firewall? > > For example, I already use these rules to open port 80 and direct > traffic to my internal web server, > > $IPTABLES -A FORWARD -i $INET_IFACE -p tcp -d $WEB_SERVER_IP --dport 80 > -j ACCEPT > $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE --dport 80 -j DNAT > --to-destination $WEB_SERVER > > but I don't know what do I need to add to the rules so that only a few > hosts can go through the firewall. > > Initially thought of using "--mac-source", but apparently this would not > work for hosts located on remote networks since the firewall will only > see the MAC address of the last router the frame passed through. Is > this correct? > > I will greatly appreciate any suggestions. > > Regards, > > federico --
