--- Jason Opperisano <opie@xxxxxxxxxxx> wrote: > On Fri, Oct 15, 2004 at 12:41:15PM -0700, kate > wrote: > > Hello, > > > > As I see increased scans on my IP address, I want > to > > limit access to only predetermined IP address > ranges > > for certain services - Is the following the > correct > > way to do this? > > > > <snip> > > # (Part A) Rules for incoming packets from > Internet > > # Packets for established connections > > iptables -A INPUT -p ALL -d $ETH0_IP -m state > --state > > ESTABLISHED,RELATED -j ACCEPT > > stylistic note: the "-p ALL" is kinda > unnecessary... > > > # (Part B) TCP Rules > > iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1 > > --destination-port 21 -j okay # userA > > iptables -A INPUT -p TCP -i eth0 -s 123.45.0/16 > > --destination-port 22 -j okay #users A - Z > > i think you're missing a "0" there: 123.45.0/16 > should really be > 123.45.0.0/16. > > > </snip> > > > > So I understand - > > ONLY User A can ftp, and all those in 123.45. can > ssh > > , BUT no-one else on the Internet can request > services > > ? > > yes--as along as somewhere further down the chain > you hit a drop-all > rule of some sort... Yes, I see that now... # (Part B) TCP Rules iptables -A INPUT -p TCP -i eth0 -s 123.45.1.1 --destination-port 21 -j okay # userA iptables -A INPUT -p TCP -i eth0 -s 123.45.0.0/16 --destination-port 22 -j okay #users A - Z so the drop-all would be..? iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP or did I just invent my own thing here? tia Kate _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
