| View previous topic :: View next topic |
| Author |
Message |
tkludy
n00b
Joined: 16 Oct 2003
Posts: 1
|
 Posted: Thu Oct 16, 2003 2:22 pm Post subject: firewall rule for opening a port for only one external host? |
 |
|
How can I create a firewall rule to open a port for only one external host?
For instance, open port 8888 for IP 1.2.3.4, but don't allow any other host to access it...
Thanks! |
|
| Back to top |
|
 |
zerb
Tux's lil' helper
Joined: 07 Aug 2003
Posts: 145
Location: Germany
|
| Posted: Thu Oct 16, 2003 3:02 pm Post subject: |
|
|
iptables -I INPUT -s xxx.xxx.xxx.xxx -j ACCEPT -p tcp --destination-port
then just add the port you want accesible |
|
| Back to top |
|
|
zerb
Tux's lil' helper
Joined: 07 Aug 2003
Posts: 145
Location: Germany
|
| Posted: Thu Oct 16, 2003 3:03 pm Post subject: |
|
|
and of course you need a rule to block traffic to this port too.
having those two rules traffic will be dropped for all host but the one specified in the rule above |
|
| Back to top |
|
|
eNut
n00b
Joined: 13 Jun 2003
Posts: 36
|
| Posted: Thu Oct 16, 2003 5:05 pm Post subject: |
|
|
So you'd probably want something like this:
| Code: |
IPTABLES=/path/to/iptables
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -s 1.2.3.4 -i ethx -p tcp --dport 8888 -j ACCEPT
********
All other rules here
********
$IPTABLES -A INPUT -s 0.0.0.0 -d 0.0.0.0 -j LOG --log-level info --log-prefix "Input Catch-all:"
$IPTABLES -A INPUT -j DROP
|
The first two lines flush the INPUT chain and set it's policy to DROP. The next line does what you are requesting. You should substitute the ethernet device that the connection would be coming in on for 'ethx' or leave out '-i ethx' and be a little less secure. The second-to-last line logs any packets that don't match anything in your list of chains and the last line drops them.
You should put this all in a file so you can execute it when you make changes and also so you can execute it on boot.
Any other question please ask.
Karl |
|
| Back to top |
|
|
Lozzer
Tux's lil' helper
Joined: 18 Sep 2003
Posts: 84
Location: England
|
| Posted: Thu Oct 16, 2003 6:07 pm Post subject: |
|
|
I'm interested in your last two rules -
Is there any difference between your second to last and
| Code: |
$IPTABLES -A INPUT -j LOG --log-level info --log-prefix "Input Catch-all:"
|
Also the chain policy is DROP, does the last rule do anything different to this?
It might be a good idea to put a limiter on the log as well, although you need to have support for it in your kernel.
| Code: |
$IPTABLES -A INPUT -m limit --limit 15/min -j LOG --log-level info --log-prefix "Input Catch-all:"
|
This can stop your logs getting DOSed, but it can also mean losing some info - its a trade off. |
|
| Back to top |
|
|
eNut
n00b
Joined: 13 Jun 2003
Posts: 36
|
| Posted: Thu Oct 16, 2003 7:48 pm Post subject: |
|
|
| Lozzer wrote: | I'm interested in your last two rules -
Is there any difference between your second to last and
| Code: |
$IPTABLES -A INPUT -j LOG --log-level info --log-prefix "Input Catch-all:"
|
Also the chain policy is DROP, does the last rule do anything different to this?
It might be a good idea to put a limiter on the log as well, although you need to have support for it in your kernel.
| Code: |
$IPTABLES -A INPUT -m limit --limit 15/min -j LOG --log-level info --log-prefix "Input Catch-all:"
|
This can stop your logs getting DOSed, but it can also mean losing some info - its a trade off. |
You're right. Having the policy as drop would make that drop rule redundant. I have a different setup and was just pulling rules out of my head that I know work from my setup. As for limiting the logging, I think it would be better to see what it catches and add aditional drop rules for things you don't care about. I had a problem with lots of logged messages until I filtered a couple of things and now I only get real important drops. Leaving out the -s and -d of the logging rule would work but I've just always done it that way.
Karl |
|
| Back to top |
|
|
Lozzer
Tux's lil' helper
Joined: 18 Sep 2003
Posts: 84
Location: England
|
| Posted: Thu Oct 16, 2003 8:19 pm Post subject: Good plan |
|
|
| Thats a good idea with the logging. Do you have a list of stuff you dump anywhere handy? I'd guess the usual suspects would be ports 135,137-139. |
|
| Back to top |
|
|
eNut
n00b
Joined: 13 Jun 2003
Posts: 36
|
| Posted: Thu Oct 16, 2003 9:16 pm Post subject: |
|
|
I'll try and remember to post my Drop chain when I get home. Off hand I do drop those netbios ports you mention and also a .255 address from outside my firewall.
Karl |
|
| Back to top |
|
|
eNut
n00b
Joined: 13 Jun 2003
Posts: 36
|
| Posted: Fri Oct 17, 2003 3:15 am Post subject: |
|
|
Here's my drop chain:
| Code: |
echo " Creating a DROP chain.."
$IPTABLES -N DropLog
$IPTABLES -A DropLog -i $EXTIF -p ICMP -j DROP
$IPTABLES -A DropLog -i $EXTIF -d 255.255.255.255 -j DROP
$IPTABLES -A DropLog -i $EXTIF -d 68.109.107.255 -p udp --dport 138 -j DROP
$IPTABLES -A DropLog -i $EXTIF -d 68.109.107.255 -p udp --dport 137 -j DROP
$IPTABLES -A DropLog -j LOG --log-level info
$IPTABLES -A DropLog -j DROP
|
|
|
| Back to top |
|
|
|
Networking & Security
