Hi, My message is for having in-depth explanation on this thread : http://www.gossamer-threads.com/lists/iptables/user/62849 Here is the part that I focus on : _______________________________________________________ On Mon, 16 Oct 2006, Retesh wrote: Let's assume a bunch of servers (the IP addresses stored in the set 'servers') and a bunch of clients (the IP addresses stored in 'clients') and one wants to allow any listed client to access any listed server: iptables -A <chain> -m set --set clients src \ -m set --set servers dst \ -j ACCEPT Or if you want to restrict the access to the given list of services on the servers (port numbers are stored in 'services'), assuming the same list of services on each server: iptables -A <chain> -m set --set clients src \ -m set --set servers dst \ -m set --set services dst \ -j ACCEPT Or if the list of services are different on the servers, then one can use an ipporthash type of set to store (server IP, service port) pairs in 'server-service' and write: iptables -A <chain> -m set --set clients src \ -m set --set server-service dst,dst \ -j ACCEPT Hope it helps, Jozsef - E-mail : kadlec[at]blackhole.kfki.hu, kadlec[at]sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary _______________________________________________________ Clients : 192.168.1.5 & 192.168.1.4 Services : ssh Servers 192.169.50.105 When I try to test such a configuration. ipset rules ( file ipset.rule I load with ipset -R < ipset.rule) # Generated by ipset 2.2.9a on Mon Jan 29 15:43:49 2007 -N servers iphash --hashsize 1024 --probes 8 --resize 50 -A servers 192.169.50.105 -N services portmap --from 1 --to 31 -A services 22 -N clients iphash --hashsize 1024 --probes 8 --resize 50 -A clients 192.168.1.5 -A clients 192.168.1.4 -B servers :default: -b services -B services 22 -b clients COMMIT iptables rules : # Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007 *nat :PREROUTING ACCEPT [79:3756] :POSTROUTING ACCEPT [94:5189] :OUTPUT ACCEPT [46:3071] COMMIT # Completed on Mon Jan 29 15:11:48 2007 # Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007 *filter :INPUT ACCEPT [29336:1622806] :FORWARD ACCEPT [1122:89879] :OUTPUT ACCEPT [700613:32934646] :LOG_DROP - [0:0] -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT -A FORWARD -m set --set servers dst,dst,src -j ACCEPT --------------------- -A FORWARD -j LOG_DROP -A OUTPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " -A LOG_DROP -j DROP COMMIT The firewall drops reponses from 192.169.50.105. Do I have to add an ipset rule for the return as (*) -A FORWARD -m set --set clients dst,dst,src -j ACCEPT ? Without (*), it doesn't work, but this last rule disturbs me. Thanks,
