* ernst@vindal.com <ernst@vindal.com> [20030402 09:21 PST]: > Hugh Saunders wrote: > >[OFF-LIST] > > > >On Wed, Apr 02, 2003 at 01:47:20PM -0100, ernst wrote: > > > >>test - please ignore > > > ><flame> > >it is *never* necessary to post a test message. > ></flame> > > > >why not just post something relevant (as that is why you joined the list > >(hopeully)) then see if you get it back? > > > >Sometimes takes 30mins or so for message to come back from the > >list servers. > > > >hugh > > Sorry about this, never do it again. > > So to my question, > I have a debian box configured as firewall with IP tables. Basicly > exepting all traffic out and only ssh in. But this rule say "Allow > everyone access". Her is from the firewall script: > <snip> > /sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT > /sbin/iptables -A INPUT -p udp --dport ssh -j ACCEPT > </snip> Why do you allow inbound UDP port 22? I've never heard of any sshd running over UDP. > > Is there an easy way to change the rule so I can limit to e.g : > one host? > one net/subnet > or users? Do you mean you only want to allow packets from a given source? How about the --source option? As for 'users', what do you mean? You can match outgoing packets with the user running the process that generated them with the --uid-owner option. For non-locally-generated packets, it just doesn't make any sense. > Another problem is when I run "iptables -L" after stop and start, stop and start what? iptables is not a running daemon. > I'll get the same result. Is there a way to "flush", or clean up the > rules? man iptables | less +/flush (the answer is '-F'). But really, these are precisely the type of questions that the man page can answer for you in a few seconds. Give it a try. good times, Vineet -- http://www.doorstop.net/ -- http://www.digitalconsumer.org/
Attachment:
pgp8__ppiHs9c.pgp
Description: PGP signature