LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-21-2004, 12:14 PM   #1
Beuzekom
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: Redhat 9.0
Posts: 38

Rep: Reputation: 15
Question Firewall - Allow 1 IP address on port x


All,

I have a basic question on configuring a firewall on my RedHat 9.0 computer. Have used security configs and lokkit but could not succeed

What I want to do is the following:

* Allow 1 IP address on a certain port (incoming TCP/UDP traffic)
* Allow everybody on portrange 1024 - 2000 (incoming TCP/UDP)

How do I implement this? Hope somebody can help

Thanks!!
 
Old 01-23-2004, 09:20 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
The rule format is..

iptables -I INPUT -s x.x.x.x -p tcp --dport port -j ACCEPT
iptables -I INPUT -p tcp --dport 1024:2000 -j ACCEPT

Have a look at this tutorial for all the options...

Using LOKKIT (cough, cough) will make a set of rules in /etc/sysconfig/iptables
Adding the rules above needs to be done after the LOKKIT rules are active, then do service iptables save to make them permanent.
iptables-save prints all active rules to the screen.
 
Old 01-23-2004, 09:46 AM   #3
palmercabel
Member
 
Registered: Oct 2003
Posts: 64

Rep: Reputation: 15
I second Peter's recommendation of that tutorial..read it 3 times before you try anything.

You should also be aware that LOKKIT is, um, *not well regarded*, and perhaps you would do better creating a rules script on your own. It might be a little intimidating at first but you will almost certainly end up with a better set of rules.

You should consider adding a rule that accepts packets bound to already-established sessions:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Peter, the rules you posted look good to Me, but I wonder if Beuzekom needs UDP also.

HTH
 
Old 01-24-2004, 07:59 AM   #4
Beuzekom
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: Redhat 9.0
Posts: 38

Original Poster
Rep: Reputation: 15
Talking

Jo thanks ... did loads of reading and got things working!

You are right- initially the syntax is a kind of strange but once you tried some thing it is really easy! I configured all specific ports and for the internal network I even do some mac checking :-) .... and whatever is not defined in the chain is dropped

$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
 
Old 01-26-2004, 07:11 AM   #5
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
quote..

$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP


I'd recommend you don't use the -s 0/0 -d 0/0 matches..
It's an unecessary use of processor time and there are some packets which won't match against an ip number.
If that rule is going to be last, change the chain POLICY to DROP instead and maybe add a logging line to see what has been dropped.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to address serial port from c abd_bela Programming 1 06-30-2005 02:48 PM
base address and port address Nodren Linux - Hardware 0 08-30-2004 02:54 PM
ip address firewall issues aus9 Slackware 2 12-15-2003 03:31 AM
Seeing internal ip address behind firewall linuxboy69 Linux - Networking 1 11-20-2003 03:21 PM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 12:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration