That "would" work, however, that would open the box totally to the outside. To open only 1 port, to a specific IP address, try this
$IPTABLES -A INPUT -i (network interface where connection coming into computer) -p tcp -s (IP of remote computer requiring access) --sport (port # as required) -d (IP where connection is coming into your machine) --dport (port # of internal service) -j ACCEPT
for example
IP 132.456.789 - Remote computer
IP 987.654.321 - Internal computer (eth0)
samba connection - port 137
$IPTABLES -A INPUT -i eth0 -p tcp -s 123.456.789 --sport 137 -d 987.654.321 --dport 137 -j ACCEPT
Hope this helps
Darcy
Pedro Figueira wrote:
hello Jim
i don't know if it is possible to do that kind of filter with shorewall but
by hand you can ACCEPT those packets to the specified ports only if they
come from one specified network interface (here you can put you 'private' -
normaly eth0).
for example:
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
where IPTABLES="/usr/sbin/iptables" and $LAN_IFACE is our incoming interface
(private one)
this rule accept all packets from all the protocols from interface
$LAN_IFACE
for more info please read Iptables Tutorial by Oskar Andreasson @
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.
html
bye
----- Original Message -----
From: "Jim C" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 24, 2003 10:52 PM
Subject: [expert] Firewalls - iptables
I have a problem not just with shorewall but with every Linux firewall
I've ever come acrossed includeing gShield.
I need to enable say 4 or 5 specific ports on my internal network but I
do *NOT* want the available to the net. The ports in question are the
LDAP / Samba ports which are used for authentication. We can assume
that shorewall has the ports closed on all interfaces. I've found that
if I specify them in the "Advacned" box, that shorewall throws them open
to the world which is definately unacceptable behaviour. My questions
then are as follows:
1. Is there a way to specify origin on the Advanced line such that I
could say that if a packet arrives for this port on this interface, then
drop/reject whatever?
2. Alternatively, is there a way to write a simple iptables rule that
superceeds all others and is preferably interface specific? What might
the syntax for this be? I see no reason to spend a day or so studying
iptables just to figure out how to write 1 line, if such were possible.
Jim C.
----------------------------------------------------------------------------
----
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
------------------------------------------------------------------------
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
