Allow internal ips block external ips
Im running Centos 5.4 with a sftp server, and I´d like to allow all 172.16.0.x ip and 192.168.0.x ip and block everything else.
Does someone have a good way to do this with IPTables or any other opensource FW? Thanks ! |
The networks you mentioned are RFC1918 private IP space. They are not routable across the 'net. In order for inbound traffic to reach you, some externally-facing device must be providing NAT/PAT.
So, don't provide NAT/PAT, and keep your border devices and hosts secure. If you have more questions, please describe your network more thoroughly. |
thanks for quick reply.
Exaclly, it´s a lab enviorment and I just wan´t to block everything else except those internal IPs. |
And forgot to mension we do use NAT
|
You can open it up to your internal subnets, but remember that in doing so you'll also be allowing the internal IP for your NAT device (for the sake of argument, let's call it 192.168.0.1). You might consider allowing stateful traffic, but dropping inbound requests from 192.168.0.1.
|
that sounds like a good idea, how would you do that in a good way ?
|
Ideally, you have packet filtering at the switch level to handle this. (Or somewhere between you and the NAT device.)
Alternatively, your NAT device does the packet filtering. Or, you have host-level firewalls in place for all your private network workstations. (That may get unwieldy.) |
Quote:
Code:
iptables -P INPUT DROP Quote:
|
I was envisioning something similar to:
Code:
---------- |
Quote:
|
TBH, I'm probably over-complicating things for the purposes of this thread. A NAT + firewall host is "good enough" for many situations.
|
All times are GMT -5. The time now is 06:27 AM. |