Re: Need firewall for my linux server.

Sun, 25 Mar 2001 08:01:50 -0800 

On Sat, 24 Mar 2001, David Talkington wrote:

> Hector M Banda wrote:
>
> >Or better, is any way I can restrict the telnet or the
> >ftp to my server to specific domains or addresses?
>
> Simplest way to accomplish that is to use /etc/hosts.allow and
> /etc/hosts.deny, if that's really all you need.
>
> -d
>
> --
> David Talkington
> Prairienet
> [EMAIL PROTECTED]
> 217-244-1962
>
With IPChains, set the default policy to deny, and then add a rule to
let the address in.  You can deside based on IP, or on NIC, if you have
more then one NIC, and you onlywant to accept connections on one NIC.

For example, lets say eth0 is connected to the Internet, and eth1 is
connected to the internel network.  It only accept telnet and ftp from
the internel network.

ipchains -A input -i eth1 -p tcp --destination-port 23 -j ACCEPT
ipchains -A input -p tcp --destination-port 23 -j DENY
ipchains -A input -i eth1 -p tcp --destination-port 21 -j ACCEPT
ipchains -A input -p tcp --destination-port 21 -j DENY

Or, to just accept specific address ranges: (192.168.2.0-192.168.2.255)

ipchains -A input -s 192.168.2.0/24 -p tcp \
        --destination-port 23 -j ACCEPT
ipchains -A input -s 0.0.0.0/0 -p tcp \
        --destination-port 23 -j DENY
ipchains -A input -s 192.168.2.0/24 -p tcp \
         --destination-port 21 -j ACCEPT
ipchains -A input -s 0.0.0.0/0 -p tcp \
        --destination-port 21 -j DENY

You can also combind the -i and -s options on the same rule.  You can
use -s with just 1 IP, instead of a range, or use a host name instead of
an IP, as long as DNS is up when you run the command.  (The IP address,
and not the host name gets put in the rule table.)  If you set the
default policy to deny, then you do not need the deny rules for the
individual services.  Also, you can add extra accept rules before the
DENY rule.  Accept rules added after the deny rule will be ignored,
because the first match is used, and the deny rule matches everything.

Mikkel
-- 

    Do not meddle in the affairs of dragons,
 for you are crunchy and taste good with ketchup.



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to