2 IPs - need to block different ports on each
Hello all.
Here is my setup. eth0 - 192.168.0.50 eth0:1 - 192.168.0.60 I would like to let my specified trafic to eth0. ( listed below ) But only allow eth0:1 to use ftp-data:ftp iptables -L Code:
Chain INPUT (policy DROP) I can still ping eth0:1 (192.168.0.60) Does the order they are listed in matter? Also my sftp not working. Any help is appreciated. Jon |
[solved] as far as I know...
Ok, I needed to be more specific in writing the rules.
I had not used -d for the destination IP. iptables -A INPUT -p all -s 0.0.0.0 -d 192.168.0.50 -j ACCEPT Here is the result. iptables -L Code:
Chain INPUT (policy DROP) Everything seems to be working well now and 192.168.0.60 only use the ftp ports. I may need to add -m state --state NEW,ESTABLISHED,RELATED to the rest of my rules. Thank you for taking the time to view the post. Jon |
Glad to see you got it working. BTW, another approach could be to stick the alias IP rule(s) at the top, and remove the destination IP from the real IP rules. That way you wouldn't need to worry about changing the rules if the real IP ever changes. Also, in cases such as this I would usually create a dedicated chain for the alias IP, with a DROP or REJECT rule at the end. Just a thought.
|
Hi Win32Sux and thanks for the reply.
I tried the approach from this post. http://www.linuxquestions.org/questi...5/#post3162072 Now were you talking about creating another chain for the ftp IP only? Not sure if I am following you or not... iptables -L -n Code:
Chain INPUT (policy DROP) Jon |
Quote:
If I was you, I'd probably just stick with two user-built chains - a bad packet one and the alias IP one. But that's just me. That said, even with all the protocol-specific chains you now have, I do see a lot of redundant and unnecessary rules. For example, there's no reason why you would need more than one rule for packets in ESTABLISHED or RELATED states. Also, the RELATED match doesn't directly apply to any of your rules (aside from the FTP one) - so I'm not sure why you are specifying it per-rule. Quote:
As for the subjective benefits, some people find scripts easier to manage with a bunch of chains. Others find them easier to manage without any user-built chains, or with a minimal amount of them. There are differences in the types and purposes of chains people prefer, too. For example, I tend to lean more toward chains made per IP, privilege level, etc. and not so much for traffic type. But like everything, it depends. |
All times are GMT -5. The time now is 05:36 AM. |