hi try to remove the -p (protocol) flag and port numbers ... iptables -A INPUT -i eth1 -s 192.168.1.0 -d 192.168.1.253 -j ACCEPT
if removing the port number is not acceptable i think you must specifie one protocol (TCP or UDP) and not 'all' but remember that only packets that come from eth1 will be accepted and TEST your rules before go online!... Cumps Pedro Figueira ----- Original Message ----- From: "Jim C" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 25, 2003 10:07 PM Subject: Re: [expert] Firewalls - iptables > Still not working. > Note that the internal interface is eth1 (192.168.1.253) and external is > eth0. > > [root@enigma root]# iptables -A INPUT -i eth1 -p all -s 192.168.1.0 > --source-port all -d 192.168.1.253 --dport 137:139 -j ACCEPT > > iptables v1.2.6a: Unknown arg `--source-port' > Try `iptables -h' or 'iptables --help' for more information. > > [root@enigma root]# iptables -A INPUT -i eth1 -p all -s 192.168.1.0 > --sports all -d 192.168.1.253 --dport 137:139 -j ACCEPT > > iptables v1.2.6a: Unknown arg `--sports' > Try `iptables -h' or 'iptables --help' for more information. > > [root@enigma root]# iptables -A INPUT -i eth1 -p all -s 192.168.1.0 > --sport all -d 192.168.1.253 --dport 137:139 -j ACCEPT > > iptables v1.2.6a: Unknown arg `--sport' > Try `iptables -h' or 'iptables --help' for more information. > > [root@enigma root]# iptables -A INPUT -i eth1 -p all -s 192.168.1.0 > --sport 0: -d 192.168.1.253 --dport 137:139 -j ACCEPT > > iptables v1.2.6a: Unknown arg `--sport' > Try `iptables -h' or 'iptables --help' for more information. > > [root@enigma root]# iptables -A INPUT -i eth1 -p all -s 192.168.1.0 > --sport 137 -d 192.168.1.253 --dport 137:139 -j ACCEPT > iptables v1.2.6a: Unknown arg `--sport' > > > Darcy Brodie, CJL wrote: > > Pedro > > That "would" work, however, that would open the box totally to the > > outside. To open only 1 port, to a specific IP address, try this > > > > $IPTABLES -A INPUT -i (network interface where connection coming into > > computer) -p tcp -s (IP of remote computer requiring access) --sport > > (port # as required) -d (IP where connection is coming into your > > machine) --dport (port # of internal service) -j ACCEPT > > > > for example > > IP 132.456.789 - Remote computer > > IP 987.654.321 - Internal computer (eth0) > > samba connection - port 137 > > > > $IPTABLES -A INPUT -i eth0 -p tcp -s 123.456.789 --sport 137 -d > > 987.654.321 --dport 137 -j ACCEPT > > > > Hope this helps > > > > Darcy > > > > Pedro Figueira wrote: > > > >> hello Jim > >> > >> i don't know if it is possible to do that kind of filter with > >> shorewall but > >> by hand you can ACCEPT those packets to the specified ports only if they > >> come from one specified network interface (here you can put you > >> 'private' - > >> normaly eth0). > >> > >> for example: > >> > >> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT > >> > >> where IPTABLES="/usr/sbin/iptables" and $LAN_IFACE is our incoming > >> interface > >> (private one) > >> > >> this rule accept all packets from all the protocols from interface > >> $LAN_IFACE > >> > >> for more info please read Iptables Tutorial by Oskar Andreasson @ > >> http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial. > >> > >> html > >> > >> bye > >> > >> ----- Original Message ----- > >> From: "Jim C" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Friday, January 24, 2003 10:52 PM > >> Subject: [expert] Firewalls - iptables > >> > >> > >> > >> > >>> I have a problem not just with shorewall but with every Linux firewall > >>> I've ever come acrossed includeing gShield. > >>> > >>> I need to enable say 4 or 5 specific ports on my internal network but I > >>> do *NOT* want the available to the net. The ports in question are the > >>> LDAP / Samba ports which are used for authentication. We can assume > >>> that shorewall has the ports closed on all interfaces. I've found that > >>> if I specify them in the "Advacned" box, that shorewall throws them open > >>> to the world which is definately unacceptable behaviour. My questions > >>> then are as follows: > >>> > >>> 1. Is there a way to specify origin on the Advanced line such that I > >>> could say that if a packet arrives for this port on this interface, then > >>> drop/reject whatever? > >>> > >>> 2. Alternatively, is there a way to write a simple iptables rule that > >>> superceeds all others and is preferably interface specific? What might > >>> the syntax for this be? I see no reason to spend a day or so studying > >>> iptables just to figure out how to write 1 line, if such were possible. > >>> > >>> > >>> > >>> Jim C. > >>> > >>> > >>> > >>> > >>> > >> > >> > >> > >> ------------------------------------------------------------------------- --- > >> > >> ---- > >> > >> > >> > >> > >>> Want to buy your Pack or Services from MandrakeSoft? > >>> Go to http://www.mandrakestore.com > >>> > >>> > >> > >> > >> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> Want to buy your Pack or Services from MandrakeSoft? Go to > >> http://www.mandrakestore.com > >> > >> > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > > > > > ---------------------------------------------------------------------------- ---- > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
