Kyle apologies for the top posting - mail2web is a bit dumb as this. Do you mean that the script should look like this
iptables -A INPUT -m state --state NEW -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -o ethX -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP Can you have two -m statements on the one line? Regards, Rick No guarantees, as I'd have to think about it a bit more, but.... I would think you might want to add '-m state --state NEW' to the first rule otherwise the 2nd rule is irrelevant. The 2nd rule will presently allow ALL established connections from anywhere that managed to get in to the machine (from other interfaces as well) If you want B to talk to A ONLY, add a '-o ethX' to the 3rd rule. Then you also need a 'iptables -A INPUT -j DROP' (depending line above, add a '-i ethX' to this) I think... ------------------------------------------------------------------------ Kind Regards Kyle Rick Phillips wrote: > I am not very good at IPTables and was seeking opinions as to whether > this formula would work to fully block a connection from computer A to B > but allow ssh and web only from B to A. The tables would reside on A. > > iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -o ethX -j DROP > > The network is off site and quite a distance away with no external admin > so I would like to have it "right" before I visit. > > Thanks in advance. > > Rick > > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -------------------------------------------------------------------- mail2web.com - Microsoft® Exchange solutions from a leading provider - http://link.mail2web.com/Business/Exchange -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
