Hi i'm no expert in iptables but can you explain me why that rule "would open the box totally to the outside" ? it only ACCEPT the packets from eth1 (the 'private' network) .. that was just an example ... ;)
if i remember correctly from my computer security classes, the diference between filtering by specific IP address and filtering by network interface is that if you dont filter by network interface you become vulnerable to "ip spoofing" atacks from internet ... the best thing is to filter by IP address AND filtering by network interface .. Best regards Pedro Figueira ----- Original Message ----- From: "Darcy Brodie, CJL" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 25, 2003 2:58 AM Subject: Re: [expert] Firewalls - iptables > Pedro > That "would" work, however, that would open the box totally to the > outside. To open only 1 port, to a specific IP address, try this > > $IPTABLES -A INPUT -i (network interface where connection coming into > computer) -p tcp -s (IP of remote computer requiring access) --sport > (port # as required) -d (IP where connection is coming into your > machine) --dport (port # of internal service) -j ACCEPT > > for example > IP 132.456.789 - Remote computer > IP 987.654.321 - Internal computer (eth0) > samba connection - port 137 > > $IPTABLES -A INPUT -i eth0 -p tcp -s 123.456.789 --sport 137 -d > 987.654.321 --dport 137 -j ACCEPT > > Hope this helps > > Darcy > > Pedro Figueira wrote: > > >hello Jim > > > >i don't know if it is possible to do that kind of filter with shorewall but > >by hand you can ACCEPT those packets to the specified ports only if they > >come from one specified network interface (here you can put you 'private' - > >normaly eth0). > > > >for example: > > > >$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT > > > >where IPTABLES="/usr/sbin/iptables" and $LAN_IFACE is our incoming interface > >(private one) > > > >this rule accept all packets from all the protocols from interface > >$LAN_IFACE > > > >for more info please read Iptables Tutorial by Oskar Andreasson @ > >http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial . > >html > > > >bye > > > >----- Original Message ----- > >From: "Jim C" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Friday, January 24, 2003 10:52 PM > >Subject: [expert] Firewalls - iptables > > > > > > > > > >>I have a problem not just with shorewall but with every Linux firewall > >>I've ever come acrossed includeing gShield. > >> > >>I need to enable say 4 or 5 specific ports on my internal network but I > >>do *NOT* want the available to the net. The ports in question are the > >>LDAP / Samba ports which are used for authentication. We can assume > >>that shorewall has the ports closed on all interfaces. I've found that > >>if I specify them in the "Advacned" box, that shorewall throws them open > >>to the world which is definately unacceptable behaviour. My questions > >>then are as follows: > >> > >>1. Is there a way to specify origin on the Advanced line such that I > >>could say that if a packet arrives for this port on this interface, then > >>drop/reject whatever? > >> > >>2. Alternatively, is there a way to write a simple iptables rule that > >>superceeds all others and is preferably interface specific? What might > >>the syntax for this be? I see no reason to spend a day or so studying > >>iptables just to figure out how to write 1 line, if such were possible. > >> > >> > >> > >>Jim C. > >> > >> > >> > >> > >> > >> > > > > > >--------------------------------------------------------------------------- - > >---- > > > > > > > > > >>Want to buy your Pack or Services from MandrakeSoft? > >>Go to http://www.mandrakestore.com > >> > >> > >> > > > > > > > > > >------------------------------------------------------------------------ > > > >Want to buy your Pack or Services from MandrakeSoft? > >Go to http://www.mandrakestore.com > > > > > > > > > ---------------------------------------------------------------------------- ---- > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
