On Fri, Oct 15, 2004 at 12:41:15PM -0700, kate wrote: > Hello, > > As I see increased scans on my IP address, I want to > limit access to only predetermined IP address ranges > for certain services - Is the following the correct > way to do this? > > <snip> > # (Part A) Rules for incoming packets from Internet > # Packets for established connections > iptables -A INPUT -p ALL -d $ETH0_IP -m state --state > ESTABLISHED,RELATED -j ACCEPT stylistic note: the "-p ALL" is kinda unnecessary... > # (Part B) TCP Rules > iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1 > --destination-port 21 -j okay # userA > iptables -A INPUT -p TCP -i eth0 -s 123.45.0/16 > --destination-port 22 -j okay #users A - Z i think you're missing a "0" there: 123.45.0/16 should really be 123.45.0.0/16. > </snip> > > So I understand - > ONLY User A can ftp, and all those in 123.45. can ssh > , BUT no-one else on the Internet can request services > ? yes--as along as somewhere further down the chain you hit a drop-all rule of some sort... -j -- Jason Opperisano <opie@xxxxxxxxxxx>
