/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
James D. Silliman wrote:
> I've checked the archives and can't seem to get the correct sequence/syntax
> for these rules.
>
> Problem: I have a lot of unwanted users trying to login to port 21. I'd
> like to block those users and allow only ones from several specified
> hosts/ips. I realize that I could do it from ftpaccess file, but would
> rather use firewall rules.
do both.
> Would these lines be okay, in the following
> order? This is not my complete firewall ruleset.
>
> # Rule to allow all external traffic in
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
it's complete enough with a rule like that :)
> # Added to allow certain hosts access to port 21 only
>
> /sbin/ipchains -A input -p tcp -j ACCEPT -s micro$oft.com -d $extip/32 21
> /sbin/ipchains -A input -p tcp -j ACCEPT -s dell.com -d $extip/32 21
> /sbin/ipchains -A input -p tcp -j ACCEPT -s test.com -d $extip/32 21
these rules are never seen. the first rule given matches
any packet that might match these rules.
> # Deny rest of traffic on port 21
> ipchains -A input -p tcp -j DENY -s $extip/32 -d 0.0.0.0/0 21
i think you've got the -s and -d options the wrong way around.
if so, this rule will nevber be seen either. put it before
the that accepts everything. if not, this rule is blocking
the masquerading host from ftp'ing anywhere which doesn't
sound like what you are talking about.
>
> Any help would be appreciated.
>
> UNI
raf
p.s. there's an ipchains mailing list as well ([EMAIL PROTECTED])
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
