LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-16-2003, 08:46 PM   #1
sysadmcse
LQ Newbie
 
Registered: Sep 2003
Posts: 1

Rep: Reputation: 0
Question Iptables to block everything except few hosts


Hi,

I am very new to iptables.

Here is what I want. I have a redhat 9 server. I want the following two constraints on it at the same time

1- Blokk all services/ports except SSH and ftp, both should be available to any one any where in the world.
+
2-The following hosts can access all ports/services.
192.168.1.19
192.168.1.20
192.168.1.21

One more thing. How would I specify mac addresses instead of the ip addresses in the above number 2. I would like to play with both options.

Please accept my thanks in advance.

Regards.

RA.
 
Old 09-16-2003, 09:48 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,782
Blog Entries: 1

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Welcome to LQ!

Actually, that isn't that hard to do. Start off by denying everything:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then start allowing stuff in:

#SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow a specific IP to access everything
iptables -A INPUT -s 192.168.1.19 -j ACCEPT
#Do it for a MAC address
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01 -j ACCEPT

A few things to remember as well:
You're going to need to set some OUTPUT rules as well. Usually, limiting those to ESTABLISHED and RELATED states works OK. Also, remember that the rules are executed IN ORDER and iptables stops at the first rule that matches the packet. That can mean that even if the rules are correct, you may not be getting the desired behavior because they are in the wrong order. Finally, remember that filtering on a MAC address is only going to work for computers connected to your LAN directly. MAC addresses get stripped when they travel the Internet.

And be sure to have a good, long read at FrozenTux

Last edited by Hangdog42; 09-16-2003 at 09:49 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
iptables and hosts.allow bwreath Linux - Security 2 02-25-2005 03:43 PM
IPtables - Block all except what I allow ]SK[ Linux - Software 4 02-10-2005 06:14 AM
hosts.deny doesn't block an SSH attempt vmattila Linux - Security 4 11-14-2004 12:18 PM
block ip address/hosts sohmc Linux - Security 3 09-19-2004 11:13 AM


All times are GMT -5. The time now is 10:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration