From: harry (Rik.Bobbaerscc.kuleuven.ac.be)
Date: Wed Sep 29 2004 - 07:51:47 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Whelan, Paul wrote:
> "iptables -L --line-numbers" will show you the line numbers of the
> rules.
> "iptables -A INPUT -p tcp -s ! ONLY_IP_YOU_WANT --dport 22 -j DROP" will
> block every connection to port 22 except ONLY_IP_YOU_WANT.

not really... a good firewall (IMHO) drops everything, rejects auth
(nasty timeouts on ftp, irc, ... if you just drop auth), and accepts
these 4(or 5) icmp requests:
"source-quench"
"parameter-problem"
"time-exceeded"
"destination-unreachable"
and your clients probably want the "echo-request" too :)

if you start like this, you can just use:
"iptables -A INPUT -p tcp -s <IP_YOU WANT TO ALLOW> --dport 22 --syn -m
state --state NEW -j ACCEPT"

and off course, you will need this rule too:
"iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
(keeps your network a little bit cleaner)

--
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaerscc.kuleuven.ac.be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]