EDIT: i just realized you question was already answered... so nevermind my post... i guess i'm not used to the new layout here at LQ yet...
Quote:
Originally Posted by kriggo15
If I wanted to accept the address 192.168.1.20, how would I write the rule? Also, if I write this at the very top of my rules, would it be executed first?
|
to accept all incoming TCP and UDP packets from 192.168.1.20 it would go something like this:
Code:
iptables -A INPUT -p TCP -s 192.168.1.20 -j ACCEPT
iptables -A INPUT -p UDP -s 192.168.1.20 -j ACCEPT
and yes, the iptables commands in a script are executed from top to bottom (just like any other shell script)... also, as far as the chains are concerned the packets will hit the rules at the top first... so for example, here the tcp packet would be accepted regardless:
Code:
iptables -A INPUT -p TCP -s 192.168.1.20 -j ACCEPT
iptables -A INPUT -p TCP -s 192.168.1.20 -j DROP
and here it would be filterd regardless:
Code:
iptables -A INPUT -p TCP -s 192.168.1.20 -j DROP
iptables -A INPUT -p TCP -s 192.168.1.20 -j ACCEPT
Quote:
Also, if I wanted to block all ip addresses other than the 192.168.1.20 address (192.168.1.1-19,21-255) how would I write that rule?
|
well, if your policy is set to DROP then all you have to do is create an ACCEPT rule for packets with source address 192.168.1.20... then any packet from any other IP will get filtered, as long as you don't have any other rule matching the packet after it passes the ACCEPT rule for 192.168.1.20...
but if what you mean is that you have an ACCEPT rule for, say, TCP/80 packets and you want to filter that entire subnet except for the 192.168.1.20 IP then it would look like this:
Code:
iptables -A INPUT -p TCP -s 192.168.1.20 --dport 80 -j ACCEPT
iptables -A INPUT -p TCP -s 192.168.1.0/24 -j DROP
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
as you can see, the packets will hit the first rule, and if it's from 192.168.1.20 (and the destination port is tcp/80) it will be accepted... if it's not from 192.168.1.20 then the packet will keep going to the next rule, which states that if the packet is from subnet 192.168.1.0/24 it should be filtered...