* Ernst-Magne Vindal <ernst@bluezone.no> [20030403 02:54 PST]: > On Wed, 2 Apr 2003, Vineet Kumar wrote: > > * ernst@vindal.com <ernst@vindal.com> [20030402 09:21 PST]: > > > > > > Is there an easy way to change the rule so I can limit to e.g : > > > one host? > > > one net/subnet > > > or users? > > > > Do you mean you only want to allow packets from a given source? How > > about the --source option? > > > > I have looked at it, that would partly solve what I have thought about > how to config my firewall. But if I read the man right, this option has > it's limitations. > I also looked at "mac" option, and that will, I think, cover what I thougt > of. > Let say that I only want to grant access to me, from my laptop when I'm > traveling, then I could use that option. Right? Actually, no ... read below. > > > As for 'users', what do you mean? You can match outgoing packets with > > the user running the process that generated them with the --uid-owner > > option. For non-locally-generated packets, it just doesn't make any > > sense. > > > > Mabye I wasn't clear, I want access to that firewall from outside with > ssh, and only me. Then I need som walidaton, right? If I can do that with > mac address, that's fine, but I can't limit the access to an IP > range/singel addres. Then it woulden't be posible to access when > traveling, logging on from defferent locations. Nope, that isn't going to work. a MAC address is an ethernet address. It's only relevant on one physical network. So when, for example, 192.168.1.2 talks directly to 192.168.1.1, they see each other's MAC address. But when 192.168.1.2 talks to 128.32.136.9 via a gateway (say 192.168.1.1) each endpoint only sees the MAC address of the nearest router on that path. In fact, all of the hops on the path need not even be ethernet, and thus might not have any concept of a MAC address. The best way to do what you want is probably just to allow ssh from anywhere. If you know you only want to access it from particular locations and/or networks, you can add in those specific addresses only, but I'm guessing that for your purposes, that's trading too much convenience for too little security. > > > > Another problem is when I run "iptables -L" after stop and > start, > > > stop and start what? iptables is not a running daemon. > > > > I got to files for the firewall, one firewall.rules and a script > collecting the rules from that file and enableing ip forwarding. Then I > can: start, stop, restart, list. > > > > I'll get the same result. Is there a way to "flush", or clean up the > > > rules? > > > > man iptables | less +/flush > > > > done that, the command didn't make any difference. hahaha! Did you really do that? Let me spell it out for you a bit more. I'm sorry to laugh; I don't mean to make fun, but that's really funny. at a shell prompt, type in "man iptables | less +/flush" hit enter DON'T hit 'q' until you figure out how to flush a chain. If you need a hint, read the paragraph below one more time. > > (the answer is '-F'). But really, these are precisely the type of > > questions that the man page can answer for you in a few seconds. Give > > it a try. the command "man iptables | less +/flush" is how you read the man page. Piping the manpage into "less +/flush" tells less to search for "flush". So you should now be looking at the iptables man page, right at the section that documents the command to flush a chain. Read it! good times, Vineet -- http://www.doorstop.net/ -- "Computer Science is no more about computers than astronomy is about telescopes." -- E.W. Dijkstra
Attachment:
pgpICK5vqDao_.pgp
Description: PGP signature