LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-28-2007, 09:52 PM   #1
packersfan2010
LQ Newbie
 
Registered: Aug 2007
Posts: 2

Rep: Reputation: 0
Question Firestarter - no restrictions on 1 IP address?


Hi,

I'm a Firestarter user who is filtering numerous machines to whitelist all but a few sites. However, I want to allow a single computer (firewalled via software) absolutely unrestricted access to the internet.

Is there a way to specify allow any port to any destination from a single source IP? (I've edited out the source IP as Foo.bar.not.valid)
Like
Code:
$IPT -p tcp -I FORWARD -s Foo.bar.not.valid/32 -d 0/0 --dport ??? -j ACCEPT
$IPT -p udp -I FORWARD -s Foo.bar.not.valid/32 -d 0/0 --dport ??? -j ACCEPT
I'm hoping someone can fill in the question marks for me!

Thanks for any and all help.
 
Old 08-29-2007, 01:20 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I believe what you are trying to do with the above rules would be accomplished by

Code:
$IPT -p tcp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
$IPT -p udp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
or if you would rather allow all protocols (not just udp and tcp), you could use the single line:

Code:
$IPT -I FORWARD -s Foo.bar.not.valid -j ACCEPT
In either case, the FORWARD chain will accept packets coming from Foo.bar.not.valid regardless of destination address or port. The "/32" after the address is permissible but not mandatory, so I removed it for clarity. I also dropped the unnecessary (in this case) destination address for the same reason.

For the above rules to have any effect, you either need a DROP or REJECT policy on the FORWARD chain or you need a subsequent rule that DROPs or REJECTs packets. I still am unsure whether this accomplishes your overall goal (that would depend on other details you have not provided) but the rules will ACCEPT the packets I outlined above.

Last edited by blackhole54; 08-29-2007 at 01:22 AM. Reason: better wording
 
Old 08-29-2007, 07:34 AM   #3
packersfan2010
LQ Newbie
 
Registered: Aug 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Smile Thanks for your help!

Quote:
Originally Posted by blackhole54 View Post
I believe what you are trying to do with the above rules would be accomplished by

Code:
$IPT -p tcp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
$IPT -p udp -I FORWARD -s Foo.bar.not.valid -j ACCEPT
or if you would rather allow all protocols (not just udp and tcp), you could use the single line:

Code:
$IPT -I FORWARD -s Foo.bar.not.valid -j ACCEPT
In either case, the FORWARD chain will accept packets coming from Foo.bar.not.valid regardless of destination address or port. The "/32" after the address is permissible but not mandatory, so I removed it for clarity. I also dropped the unnecessary (in this case) destination address for the same reason.

For the above rules to have any effect, you either need a DROP or REJECT policy on the FORWARD chain or you need a subsequent rule that DROPs or REJECTs packets. I still am unsure whether this accomplishes your overall goal (that would depend on other details you have not provided) but the rules will ACCEPT the packets I outlined above.
Hey Blackhole,

Thanks for the reply. I have the whitelist all setup already, just looking to get the single IP unfiltered. I'll definitely give that a shot.

Thanks! I really appreciate your help. If I have any issues, you'll probably see me lurking around here again

Last edited by packersfan2010; 08-29-2007 at 07:35 AM. Reason: smiley corrected
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
MAC address based client restrictions aliasgherman Linux - Networking 1 04-10-2007 04:53 PM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 04:33 AM
Directory Restrictions aeruzcar Linux - Security 6 10-28-2003 09:09 PM
Restrictions X3781 Linux - General 1 01-07-2003 12:55 PM
user Restrictions jpc82 Linux - Security 1 02-04-2002 01:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration