Patrick, >I've added my DNS & GW, and I can connect from anywhere within the allowed range, I also can get out to the Net, but... >This setup prevents any returning packet from the Net to get in... I thought that is precisely the way you want: "I need some help with iptables. I'm trying to block every access to one RHEL4 box (x.y.z.218), except from 9 IPs (x.y.z.211-219). Every port from the allowed range should reach x.y.z.218" ie. restrict access only to your 9 machines and no one else. If there is another (internal/external) host/network you need to access, just add that to the accept list. This way, you have precise control where users can get in from and get out. Even if hackers manage to break in, they cannot do a general probe to other machines. Peter -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Patrick Derwael Sent: 15 September 2006 14:57 To: redhat-list@xxxxxxxxxx Subject: RE: iptables Peter, Thank you for the hint (/32) I've added my DNS & GW, and I can connect from anywhere within the allowed range, I also can get out to the Net, but... This setup prevents any returning packet from the Net to get in... I presume this is related to the connection state, but I don't have a clue about how to set this up properly. My script is the following : # Start from a clean situation iptables -F # Authorised range iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT iptables -A INPUT -s 111.222.333.211/32 -j ACCEPT iptables -A INPUT -s 111.222.333.212/32 -j ACCEPT iptables -A INPUT -s 111.222.333.213/32 -j ACCEPT iptables -A INPUT -s 111.222.333.214/32 -j ACCEPT iptables -A INPUT -s 111.222.333.215/32 -j ACCEPT iptables -A INPUT -s 111.222.333.216/32 -j ACCEPT iptables -A INPUT -s 111.222.333.217/32 -j ACCEPT iptables -A INPUT -s 111.222.333.218/32 -j ACCEPT iptables -A INPUT -s 111.222.333.219/32 -j ACCEPT # DNS1-DNS2 iptables -A INPUT -s 111.222.333.131/32 -j ACCEPT iptables -A INPUT -s 111.222.333.141/32 -j ACCEPT # Gateway iptables -A INPUT -s 111.222.333.254/32 -j ACCEPT # Drop all the rest iptables -A INPUT -s ! 111.222.333.219/32 -j DROP iptables -L # On Fri, September 15, 2006 2:30 pm, Chiu, PCM \(Peter\) said: > I would suggest > > iptables -F > iptables -A INPUT -s x.y.z.211/32 -j ACCEPT iptables -A INPUT -s > x.y.z.212/32 -j ACCEPT .... > iptables -A INPUT -s ! x.y.z.219/32 -j DROP > > You may also need to include your own default router and dns server to > the accept list, otherwise you won't get out. > > Peter -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
