Accepting connections from a specified range of IP addresses

Jason.nix · 01-22-2024, 10:58 AM

Hello,
I have a Tor server with IP address 172.20.1.100 and I want only IP addresses in the range 172.20.1.0/24 to be able to connect to it. Is the following iptables rule correct?

Code:

iptables -A INPUT -p tcp -s 172.20.1.0/24 --dst 172.20.1.100 --dport 9050 --jump ACCEPT

Thank you.

jayjwa · 01-22-2024, 11:29 AM

Why not set it with SocksPolicy in torrc? If you are going to use Iptables, consider the default POLICY. If you default allow, that does nothing and you'll need a DROP (or log/drop) right after it. You don't need the dst.

Jason.nix · 01-22-2024, 11:59 AM

Quote:

Originally Posted by jayjwa

Why not set it with SocksPolicy in torrc? If you are going to use Iptables, consider the default POLICY. If you default allow, that does nothing and you'll need a DROP (or log/drop) right after it. You don't need the dst.

Hello,
Thank you so much for your reply.
I did:

Code:

SOCKSPort 172.20.1.100:9050

I know I can do this with SocksPolicy, but I want to do it with iptables. Do you mean all following policies should be DROP?

Code:

*filter
:INPUT ACCEPT [862:113997]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [76190:79547849]

If I change INPUT to DROP, can clients connect to the server?
Why is dst not needed?