Need Iptables command for a particular cond.

shipon_97 · 03-29-2006, 09:03 PM

Dear friend,

Suppose I ahve a Network 192.168.10.0/24 . I have a Linux/Nat Server which IP is
192.168.10.1 . Now i have 5 clients whose IP is serially 192.168.10.2 3 4 5 & 6 .
In this moment when i write the following IPTABLES command ,

iptables -A INPUT -p tcp -s 192.168.10.0/24 --dport 80 -j REJECT

Then all of my Network pc cannot connect with my Linux Server . But i want to make a
situation where only 192.168.10.5 can access 80 port of my linux server and any other
machine cannot use 80 port of my linux machine . Is there any IPTABLES Command in this
condition ?

haertig · 03-29-2006, 09:08 PM

Just make two rules. The first rule specifies to accept the connection from that specific IP address, the second rule then denies access (just as you have it now). Just make sure the "accept" rule comes before the "reject" rule.

Jeiku · 03-29-2006, 09:13 PM

iptables -A INPUT -p tcp -s ! 192.168.10.5 --dport 80 -j REJECT

win32sux · 03-31-2006, 01:57 AM

Quote:

Originally Posted by Jeiku

iptables -A INPUT -p tcp -s ! 192.168.10.5 --dport 80 -j REJECT

this is not such a good idea... you'd be sending answers to queries on the WAN side also... your best bet is to set the INPUT policy to DROP, and then use use more specific rules for your LAN, like this (assuming your LAN interface is eth1):

Code:

iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p TCP -i eth1 -s 192.168.10.5 \
--dport 80 -m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth1 -s 192.168.10.0/24 \
--dport 80 -m state --state NEW -j REJECT

of course this assumes that you want to send a REJECT to the non-authorized machines on your LAN so that they don't hang or whatever... cuz you really don't *need* any REJECT rule to do this, as the --dport 80 packets which aren't from 192.168.10.5 will run smack into the DROP policy either way...