Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-16-2003, 09:46 PM   #1
LQ Newbie
Registered: Sep 2003
Posts: 1

Rep: Reputation: 0
Question Iptables to block everything except few hosts


I am very new to iptables.

Here is what I want. I have a redhat 9 server. I want the following two constraints on it at the same time

1- Blokk all services/ports except SSH and ftp, both should be available to any one any where in the world.
2-The following hosts can access all ports/services.

One more thing. How would I specify mac addresses instead of the ip addresses in the above number 2. I would like to play with both options.

Please accept my thanks in advance.


Old 09-16-2003, 10:48 PM   #2
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Welcome to LQ!

Actually, that isn't that hard to do. Start off by denying everything:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then start allowing stuff in:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow a specific IP to access everything
iptables -A INPUT -s -j ACCEPT
#Do it for a MAC address
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01 -j ACCEPT

A few things to remember as well:
You're going to need to set some OUTPUT rules as well. Usually, limiting those to ESTABLISHED and RELATED states works OK. Also, remember that the rules are executed IN ORDER and iptables stops at the first rule that matches the packet. That can mean that even if the rules are correct, you may not be getting the desired behavior because they are in the wrong order. Finally, remember that filtering on a MAC address is only going to work for computers connected to your LAN directly. MAC addresses get stripped when they travel the Internet.

And be sure to have a good, long read at FrozenTux

Last edited by Hangdog42; 09-16-2003 at 10:49 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 07:58 PM
iptables and hosts.allow bwreath Linux - Security 2 02-25-2005 04:43 PM
IPtables - Block all except what I allow ]SK[ Linux - Software 4 02-10-2005 07:14 AM
hosts.deny doesn't block an SSH attempt vmattila Linux - Security 4 11-14-2004 01:18 PM
block ip address/hosts sohmc Linux - Security 3 09-19-2004 12:13 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:09 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration