iptables rule to allow only one IP to connect

papaLou · 11-08-2011, 04:18 PM

I'm trying to figure out a way that my linux box will allow only one IP address to connect to a list of ports.

I don't know what IP address it will be but once I have one IP connected I want to drop all others.

Anyone have any hints?

jlinkels · 11-08-2011, 05:23 PM

Try and see if connlimit suits your needs.
http://www.cyberciti.biz/faq/iptable...-limits-howto/

jlinkels

papaLou · 11-08-2011, 06:23 PM

Not quite, I need to limit number of IP's connected, this can limit number of connections per IP. Thanks though

jlinkels · 11-08-2011, 06:31 PM

connlimit-mask 32?

jlinkels

hermouche · 11-09-2011, 11:56 AM

Quote:

Originally Posted by papaLou

I'm trying to figure out a way that my linux box will allow only one IP address to connect to a list of ports.

I don't know what IP address it will be but once I have one IP connected I want to drop all others.

Anyone have any hints?

Let say you want to give access only to 192.160.0.2 and to ports 80,443.
I think we can write it like this:

Quote:

iptables -A INPUT -s ! 192.168.0.2 -p tcp -m multiport 80,443 -j DROP

Which means that if it's not the 192.168.0.2 host, well just drop it.

I'm not sure about it, but give it a try

red

teebones · 11-09-2011, 12:56 PM

Quote:

Originally Posted by hermouche

Let say you want to give access only to 192.160.0.2 and to ports 80,443.
I think we can write it like this:

Which means that if it's not the 192.168.0.2 host, well just drop it.

I'm not sure about it, but give it a try

red

that not what the OP wants.. the remote IP is unknown, so a rule like yours is not possible.
He needs a throttle on the serviceport(s), so one source can connect to it (unrelated to how many times this source connects to it)

Although i don't see why the OP wants to do this, since it could mean the OP is not allowed to connect if a portscan is ran by someone (hack recon e.g.)