LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables rule to allow only one IP to connect (http://www.linuxquestions.org/questions/linux-security-4/iptables-rule-to-allow-only-one-ip-to-connect-912545/)

papaLou 11-08-2011 05:18 PM

iptables rule to allow only one IP to connect
 
I'm trying to figure out a way that my linux box will allow only one IP address to connect to a list of ports.

I don't know what IP address it will be but once I have one IP connected I want to drop all others.

Anyone have any hints?

jlinkels 11-08-2011 06:23 PM

Try and see if connlimit suits your needs.
http://www.cyberciti.biz/faq/iptable...-limits-howto/

jlinkels

papaLou 11-08-2011 07:23 PM

Not quite, I need to limit number of IP's connected, this can limit number of connections per IP. Thanks though

jlinkels 11-08-2011 07:31 PM

connlimit-mask 32?

jlinkels

hermouche 11-09-2011 12:56 PM

Quote:

Originally Posted by papaLou (Post 4519223)
I'm trying to figure out a way that my linux box will allow only one IP address to connect to a list of ports.

I don't know what IP address it will be but once I have one IP connected I want to drop all others.

Anyone have any hints?

Let say you want to give access only to 192.160.0.2 and to ports 80,443.
I think we can write it like this:
Quote:

iptables -A INPUT -s ! 192.168.0.2 -p tcp -m multiport 80,443 -j DROP
Which means that if it's not the 192.168.0.2 host, well just drop it.

I'm not sure about it, but give it a try :)

red

teebones 11-09-2011 01:56 PM

Quote:

Originally Posted by hermouche (Post 4519880)
Let say you want to give access only to 192.160.0.2 and to ports 80,443.
I think we can write it like this:

Which means that if it's not the 192.168.0.2 host, well just drop it.

I'm not sure about it, but give it a try :)

red

that not what the OP wants.. the remote IP is unknown, so a rule like yours is not possible.
He needs a throttle on the serviceport(s), so one source can connect to it (unrelated to how many times this source connects to it)

Although i don't see why the OP wants to do this, since it could mean the OP is not allowed to connect if a portscan is ran by someone (hack recon e.g.)


All times are GMT -5. The time now is 05:44 AM.