LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firestarter - no restrictions on 1 IP address? (https://www.linuxquestions.org/questions/linux-security-4/firestarter-no-restrictions-on-1-ip-address-580575/)

packersfan2010 08-28-2007 09:52 PM
Firestarter - no restrictions on 1 IP address?
 
Hi,

I'm a Firestarter user who is filtering numerous machines to whitelist all but a few sites. However, I want to allow a single computer (firewalled via software) absolutely unrestricted access to the internet.

Is there a way to specify allow any port to any destination from a single source IP? (I've edited out the source IP as Foo.bar.not.valid)
Like
Code:
$IPT -p tcp -I FORWARD -s Foo.bar.not.valid/32 -d 0/0 --dport ??? -j ACCEPT
$IPT -p udp -I FORWARD -s Foo.bar.not.valid/32 -d 0/0 --dport ??? -j ACCEPT
I'm hoping someone can fill in the question marks for me! :D

Thanks for any and all help. :study:

blackhole54 08-29-2007 01:20 AM
I believe what you are trying to do with the above rules would be accomplished by

Code:
$IPT -p tcp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
$IPT -p udp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
or if you would rather allow all protocols (not just udp and tcp), you could use the single line:

Code:
$IPT -I FORWARD -s Foo.bar.not.valid -j ACCEPT
In either case, the FORWARD chain will accept packets coming from Foo.bar.not.valid regardless of destination address or port. The "/32" after the address is permissible but not mandatory, so I removed it for clarity. I also dropped the unnecessary (in this case) destination address for the same reason.

For the above rules to have any effect, you either need a DROP or REJECT policy on the FORWARD chain or you need a subsequent rule that DROPs or REJECTs packets. I still am unsure whether this accomplishes your overall goal (that would depend on other details you have not provided) but the rules will ACCEPT the packets I outlined above.

packersfan2010 08-29-2007 07:34 AM
Thanks for your help!
 
Quote:
Originally Posted by blackhole54 (Post 2874218)
I believe what you are trying to do with the above rules would be accomplished by

Code:
$IPT -p tcp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
$IPT -p udp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
or if you would rather allow all protocols (not just udp and tcp), you could use the single line:

Code:
$IPT -I FORWARD -s Foo.bar.not.valid -j ACCEPT
In either case, the FORWARD chain will accept packets coming from Foo.bar.not.valid regardless of destination address or port. The "/32" after the address is permissible but not mandatory, so I removed it for clarity. I also dropped the unnecessary (in this case) destination address for the same reason.

For the above rules to have any effect, you either need a DROP or REJECT policy on the FORWARD chain or you need a subsequent rule that DROPs or REJECTs packets. I still am unsure whether this accomplishes your overall goal (that would depend on other details you have not provided) but the rules will ACCEPT the packets I outlined above.
Hey Blackhole,

Thanks for the reply. I have the whitelist all setup already, just looking to get the single IP unfiltered. I'll definitely give that a shot. :D

Thanks! I really appreciate your help. If I have any issues, you'll probably see me lurking around here again :jawa:


All times are GMT -5. The time now is 09:42 AM.