At 2/1/2002 05:17 PM +0000, you wrote:
>How do you add an ipchains rule to accept connections from
>a given host (eg. www.xxx.yyy.zzz) on a specific port (eg. 3333) ?
>
># /sbin/ipchains -I input -p tcp -s www.xxx.yyy.zzz 3333 -j ACCEPT
Almost right.
# ipchains -A input -p tcp -s www.xxx.yyy.zzz 1024:65535
-d $MY_IP_ADDRESS 3333 -j ACCEPT
# ipchains -A output -p tcp ! -y -s $MY_IP_ADDRESS 3333
-d www.xxx.yyy.zzz 1024:65535 -j ACCEPT
The differences:
1. Specifying "1024:65535" after his IP address allows connections only
from unprivileged ports, which is the way it should be happening. You may
eliminate this if you like to allow connections from any port on his machine.
2. You specify the 3333 after *your* IP address, not after his. And you are
specific about your IP address (not just "--destination-port 3333" so that
your firewall doesn't even allow packets destined for other servers.
3. You need an output rule as well. Otherwise his connection request will
get through but nothing will get back out.
4. In the output rule, specifying "! -y" means "but NOT any SYN packets".
SYN packets are those used to request connections. So the inbound rule will
allow any traffic (including connection requests) and the outbound rule
will allow any traffic that does not initiate a new connection. So he can
connect to you but not you to him. (And he cannot get another program on
your machine to connect to his box either, which is more relevant.)
--
Rodolfo J. Paiz
[EMAIL PROTECTED]
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
