INPUT and PORTS

Wakko Warner wakko at animx.eu.org
Wed Nov 1 18:40:30 CET 2006


plugthebox.net /dev/null wrote:
> I want to thank you all for contributing. 
> 
> I'm currently setting up a firewall and a web interface for it. My
> strategy is to have:
> 
> /sbin/iptables -P INPUT -j DROP
> /sbin/iptables -P FORWARD -j DROP
> /sbin/iptables -A FORWARD -d 10.2.2.115 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.115 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.115 -j ACCEPT
> /sbin/iptables -A FORWARD -d 10.2.2.116 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.116 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.116 -j ACCEPT
> /sbin/iptables -A FORWARD -d 10.2.2.117 -j ACCEPT
> /sbin/iptables -A FORWARD -s 10.2.2.117 -j ACCEPT
> /sbin/iptables -A INPUT -s 10.2.2.117 -j ACCEPT
> etc...
> /sbin/iptables -A INPUT -j DROP
> /sbin/iptables -A FORWARD -j DROP
> 
> Meaning, i want to accept the connections from these 3 IPs, and drop all
> the rest. Now i want to let those allowed IPs to only use 3 ports for
> the INPUT and more than 30 ports for FORWARDs (p2p and misc ports).
> 
> I can't use -m multiport for each FORWARD, there are too many ports that
> 1 FORWARD line can run. 
> 
> I thought by allowing the ports BEFORE the IPs, that it would accept
> allow only the ports ACCEPTed to the IPs ACCEPTed, is that correct?

If I understand what you are wanting correctly, something I'm currently
doing may be what you want.

If you want to only allow specific IPs to connect to specific ports, you
might want to try this:

create 2 chains:  ip and port (or whatever you want to name them.

iptables -A INPUT -j ip
iptables -A FORWARD -j ip

in ip:
iptables -A ip -j port -s 10.2.2.115
iptables -A ip -j port -d 10.2.2.115
...

in port:
iptables -A port -j ACCEPT -p tcp --dport 80
iptables -A port -j ACCEPT -p tcp --dport 22
...

Since you have the policy already to drop, there's probably no reason to add
DROP rules to INPUT and FORWARD.

If you want to allow any IPs, just ad them to the ip chain.  If you want to
allow the current list of ips to access different ports, just ad that port
to the port chain.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???



More information about the netfilter mailing list