RE: iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Patrick,

>I've added my DNS & GW, and I can connect from anywhere within the
allowed range, I also can get out to the Net, but...

>This setup prevents any returning packet from the Net to get in... 

I thought that is precisely the way you want:
   "I need some help with iptables. I'm trying to block every access to
one
   RHEL4 box (x.y.z.218), except from 9 IPs (x.y.z.211-219).
   Every port from the allowed range should reach x.y.z.218"

ie. restrict access only to your 9 machines and no one else.

If there is another (internal/external) host/network you need to access,
just add that to the accept list.

This way, you have precise control where users can get in from and get
out.
Even if hackers manage to break in, they cannot do a general probe to
other machines.

Peter

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Patrick Derwael
Sent: 15 September 2006 14:57
To: redhat-list@xxxxxxxxxx
Subject: RE: iptables

Peter,
Thank you for the hint (/32)
I've added my DNS & GW, and I can connect from anywhere within the
allowed range, I also can get out to the Net, but...

This setup prevents any returning packet from the Net to get in...

I presume this is related to the connection state, but I don't have a
clue about how to set this up properly.

My script is the following :

# Start from a clean situation
iptables -F
# Authorised range
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.211/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.212/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.213/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.214/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.215/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.216/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.217/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.218/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.219/32 -j ACCEPT 

# DNS1-DNS2 

iptables -A INPUT -s 111.222.333.131/32 -j ACCEPT 

iptables -A INPUT -s 111.222.333.141/32 -j ACCEPT 

# Gateway 

iptables -A INPUT -s 111.222.333.254/32 -j ACCEPT 

# Drop all the rest 

iptables -A INPUT -s ! 111.222.333.219/32 -j DROP 

iptables -L #




On Fri, September 15, 2006 2:30 pm, Chiu, PCM \(Peter\) said:
> I would suggest
>
> iptables -F
> iptables -A INPUT -s x.y.z.211/32 -j ACCEPT iptables -A INPUT -s 
> x.y.z.212/32 -j ACCEPT ....
> iptables -A INPUT -s ! x.y.z.219/32 -j DROP
>
> You may also need to include your own default router and dns server to

> the accept list, otherwise you won't get out.
>
> Peter


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux