As Paul mentioned, I would strongly recommend a default drop policy. However, should you need the default accept, you can streamline the packet processing by using a user defined chain. This will allow any long list of allowed SSH IPs to be separated from normal packet processing: iptables -N sshchain iptables -A FORWARD -p 6 --dport 22 -j sshchain iptables -A sshchain -s x.x.x.x -j ACCEPT iptables -A sshchain -s y.y.y.y -j ACCEPT iptables -A sshchain -s z.z.z.z -j ACCEPT iptables -A sshchain -j DROP Hope this helps - John On Mon, 2004-11-15 at 20:19, Rudi Starcevic wrote: > Thanks Paul, > > Was hoping for a simple solution and well please to know I can do it > both ways. > > Many thanks > Best regards Rudi > > Paul Annesley wrote: > > >---------- Forwarded message ---------- > >From: Paul Annesley <paul.annesley@xxxxxxxxx> > >Date: Mon, 15 Nov 2004 18:05:17 +1100 > >Subject: Re: Policy Accept + Allow Multiple IP's > >To: Rudi Starcevic <tech@xxxxxxxxxxxx> > > > > > >On Mon, 15 Nov 2004 16:51:57 -0800, Rudi Starcevic <tech@xxxxxxxxxxxx> wrote: > > > > > > > > > >>Hi, > >> > >>I have an Iptables firewall with a default policy of accept. > >> > >>I want to allow only certain IP's ssh access. > >> > >>So far I have this rule which allows 1 ip: > >> > >>iptables -A INPUT -p tcp --dport 22 -s ! xxx.xxx.xxx.xxx -j DROP > >> > >>I'm not sure how to list more that 1 allowable IP. > >> > >>This is a production box I've inherited so I'm hoping to work with I already > >>have but may need to look at changing the default policy to drop or > >>something. > >> > >> > > > >Perhaps you should look at making the policy DROP and allowing > >specific traffic.. > >However what you're after can be done with two rules.. something like; > > > >iptables -A INPUT -p tcp --dport 22 -s x.x.x.x -j ACCEPT > >iptables -A INPUT -p tcp --dport 22 -j DROP > > > > > > > >>Please advise, many thanks. > >>Regards Rudi > >> > >> > >> > >> > > > > > > > > > > -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
