On Fri, 2004-12-17 at 18:40, Jason Williams wrote:
> At 01:41 PM 12/17/2004, Jason Opperisano wrote:
> > > $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
> >
> >you really want to allow unlimited access to your firewall from your
> >internal network?
>
> Just thought about this. What if I wanted to give just one box SSH access
> to the firewall (maintenance lets say).
>
> It would be something like this:
>
> $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.90 -dport 22 -j ACCEPT
you're missing a '-' right................................^ here, but
yeah--that's the concept. for what it's worth, i always like to specify
"--syn" as well:
iptables -A INPUT -p tcp --syn -i $LAN_IFACE -s 192.168.1.90 \
--dport 22 -j ACCEPT
since the rest of the connection will be handled by your "-m state
--state ESTABLISHED,RELATED" rule at the top. even more restrictive
options would be to specify and unprivileged source port, and the proper
destination IP, giving us:
iptables -A INPUT -p tcp --syn -i $LAN_IFACE \
-s 192.168.1.90 --sport 1024:65535 -d $LAN_IP --dport 22 -j ACCEPT
yeah--that looks pretty good to me.
-j
--
"Ooh, they used nylon rope this time. It feels smooth against my skin,
almost sensuous."
--The Simpsons
