Re: [Eug-lug]different syntaxes for the same thing

Fri, 31 Jan 2003 14:10:35 -0800 

Larry, routing is cross (sub)?networks.  Packet filtering is done by
interface or ips.  Assuming the services are local and not forwarded
here are your commands.  Viritual interfaces are not part of the
solution.  You can move your ip's from a virtual interface to a real one
and back and you don't need to change or even re-execute your firewall
script.

iptables -F
iptables -P INPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 10.0.0.2 -m state --state ESTABLISHED,RELATED -j ACCCEPT
iptables -A INPUT -s 10.0.0.2 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 10.0.0.2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.0.2 -p tcp --dport 23 -j ACCEPT

iptables -A INPUT -s 10.0.0.3 -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -s 10.0.0.0/25 -p icmp -j ACCEPT

iptables -A OUTPUT -o lo   -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT

Cory


On Fri, Jan 31, 2003 at 12:30:37PM -0800, Larry Price wrote:
> On Fri, 31 Jan 2003, Bob Miller wrote:
> 
> > Tell us what problem you're trying to solve, and I'll (try to)
> > tell you why virtual interfaces aren't part of the solution.
> 
> the problem:
> 
> a host has a single physical interface eth0
> and answers on two ip addresses (10.0.0.2 and 10.0.0.3)
> 
> 10.0.0.2 is supposed to answer on ports 21,22,79 and allow outbound
> traffic and existing connections for any other protocol
> 
> 10.0.0.3 is supposed to answer on port 80 and not for anything else
> 
> ICMP for both addresses is only available from within the 10.0.0.0/25
> segment
> 
> At this point it looks more like routing than packet filters.
> 
> 
> -- 
> http://www.efn.org/~laprice        ( Community, Cooperation, Consensus
> http://www.opn.org                 ( Openness to serendipity, make mistakes
> http://www.efn.org/~laprice/poems  ( but learn from them.(carpe fructus ludi)
> _______________________________________________
> Eug-LUG mailing list
> [EMAIL PROTECTED]
> http://mailman.efn.org/cgi-bin/listinfo/eug-lug
_______________________________________________
Eug-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug

Reply via email to