Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-14-2007, 10:46 AM
|
#1
|
LQ Newbie
Registered: Feb 2007
Posts: 3
Rep:
|
Simple iptables quesiton
Hi all, I've got a simple iptables question.
Is there a way that I can enter an entire "domain" into iptables to either allow or deny over a specific port?
Similar to this in hosts.allow:
sshd : .qwest.net : allow
An iptables rule?
-A RH-Firewall-1-INPUT -s .qwest.net -m tcp -p tcp --dport 22 -j ACCEPT
But this is not accepted in iptables. I'd like to use the name and not the ip that way it will deny
a client that is not in our DNS records.
Any ideas?
Thanks,
Chris
|
|
|
02-14-2007, 11:12 AM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Try the rule without the '.' in front of the domain name:
Code:
-A RH-Firewall-1-INPUT -s qwest.net -m tcp -p tcp --dport 22 -j ACCEPT
|
|
|
02-16-2007, 12:36 PM
|
#3
|
LQ Newbie
Registered: Feb 2007
Posts: 3
Original Poster
Rep:
|
Hi all again,
That doesn't seem to work the same. It assumes one IP address. I'd like to be able to include a whole class B or class C subnet without denoting the actual subnet. As I mentioned previously in the hosts.allow
.qwest.net
or
.gps.caltech.edu
etc.
|
|
|
02-17-2007, 12:19 PM
|
#4
|
Member
Registered: Jan 2003
Posts: 36
Rep:
|
Quote:
Originally Posted by cbidwell
Hi all again,
That doesn't seem to work the same. It assumes one IP address. I'd like to be able to include a whole class B or class C subnet without denoting the actual subnet. As I mentioned previously in the hosts.allow
.qwest.net
or
.gps.caltech.edu
etc.
|
I have a similar query, so I am hijacking on your thread. What I have is apache listening on port 443, and I have only one IP. I also need to get SSH on port 443 (ISP blocks 22 and any other ports). What I tried was the following rule:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d shell.mydomain.com --dport 443 -j REDIRECT --to-port 22
However, the rule is working on the IP and not on the name (that is shell.mydomain.com). I need IP table to port forward based on name rather than IP. Any solutions?
Last edited by friendklay; 02-17-2007 at 12:20 PM.
|
|
|
02-18-2007, 04:24 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by friendklay
I have a similar query, so I am hijacking on your thread. What I have is apache listening on port 443, and I have only one IP. I also need to get SSH on port 443 (ISP blocks 22 and any other ports). What I tried was the following rule:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d shell.mydomain.com --dport 443 -j REDIRECT --to-port 22
However, the rule is working on the IP and not on the name (that is shell.mydomain.com). I need IP table to port forward based on name rather than IP. Any solutions?
|
friendklay, please start your own thread for this question.
I'd suggest the Linux - Networking forum. Thanks.
|
|
|
All times are GMT -5. The time now is 05:37 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|