Re: ip_tables newbie needs help [was "test - please ignore"
On Wed, 2 Apr 2003, Vineet Kumar wrote:
> * ernst@vindal.com <ernst@vindal.com> [20030402 09:21 PST]:
> > Hugh Saunders wrote:
> > >[OFF-LIST]
> > >
> > >On Wed, Apr 02, 2003 at 01:47:20PM -0100, ernst wrote:
> > >
> > >>test - please ignore
> > >
> > ><flame>
> > >it is *never* necessary to post a test message.
> > ></flame>
> > >
> > >why not just post something relevant (as that is why you joined the list
> > >(hopeully)) then see if you get it back?
> > >
> > >Sometimes takes 30mins or so for message to come back from the
> > >list servers.
> > >
> > >hugh
> >
> > Sorry about this, never do it again.
> >
> > So to my question,
> > I have a debian box configured as firewall with IP tables. Basicly
> > exepting all traffic out and only ssh in. But this rule say "Allow
> > everyone access". Her is from the firewall script:
> > <snip>
> > /sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
> > /sbin/iptables -A INPUT -p udp --dport ssh -j ACCEPT
> > </snip>
>
> Why do you allow inbound UDP port 22? I've never heard of any sshd
> running over UDP.
>
Well...there you see, I need help:)
That was taken from a google result, I thought about the same thing, but
wasn't 100% sure so I just added UDP as well.
> >
> > Is there an easy way to change the rule so I can limit to e.g :
> > one host?
> > one net/subnet
> > or users?
>
> Do you mean you only want to allow packets from a given source? How
> about the --source option?
>
I have looked at it, that would partly solve what I have thought about
how to config my firewall. But if I read the man right, this option has
it's limitations.
I also looked at "mac" option, and that will, I think, cover what I thougt
of.
Let say that I only want to grant access to me, from my laptop when I'm
traveling, then I could use that option. Right?
> As for 'users', what do you mean? You can match outgoing packets with
> the user running the process that generated them with the --uid-owner
> option. For non-locally-generated packets, it just doesn't make any
> sense.
>
Mabye I wasn't clear, I want access to that firewall from outside with
ssh, and only me. Then I need som walidaton, right? If I can do that with
mac address, that's fine, but I can't limit the access to an IP
range/singel addres. Then it woulden't be posible to access when
traveling, logging on from defferent locations.
> > Another problem is when I run "iptables -L" after stop and
start, >
> stop and start what? iptables is not a running daemon.
>
I got to files for the firewall, one firewall.rules and a script
collecting the rules from that file and enableing ip forwarding. Then I
can: start, stop, restart, list.
> > I'll get the same result. Is there a way to "flush", or clean up the
> > rules?
>
> man iptables | less +/flush
>
done that, the command didn't make any difference.
> (the answer is '-F'). But really, these are precisely the type of
> questions that the man page can answer for you in a few seconds. Give
> it a try.
>
> good times,
> Vineet
>
> --
> http://www.doorstop.net/
> --
> http://www.digitalconsumer.org/
>
Thanks a lot for tips and pointers, I'll know what to look into now:)
I guess one or more of these options will solve my problem.
thanks
/ernst
Reply to: