* Ernst-Magne Vindal <ernst@bluezone.no> [20030403 02:54 PST]:
On Wed, 2 Apr 2003, Vineet Kumar wrote:
* ernst@vindal.com <ernst@vindal.com> [20030402 09:21 PST]:
Is there an easy way to change the rule so I can limit to e.g :
one host?
one net/subnet
or users?
Do you mean you only want to allow packets from a given source? How
about the --source option?
I have looked at it, that would partly solve what I have thought about
how to config my firewall. But if I read the man right, this option has
it's limitations.
I also looked at "mac" option, and that will, I think, cover what I thougt
of.
Let say that I only want to grant access to me, from my laptop when I'm
traveling, then I could use that option. Right?
Actually, no ... read below.
As for 'users', what do you mean? You can match outgoing packets with
the user running the process that generated them with the --uid-owner
option. For non-locally-generated packets, it just doesn't make any
sense.
Mabye I wasn't clear, I want access to that firewall from outside with
ssh, and only me. Then I need som walidaton, right? If I can do that with
mac address, that's fine, but I can't limit the access to an IP
range/singel addres. Then it woulden't be posible to access when
traveling, logging on from defferent locations.
Nope, that isn't going to work. a MAC address is an ethernet address.
It's only relevant on one physical network. So when, for example,
192.168.1.2 talks directly to 192.168.1.1, they see each other's MAC
address. But when 192.168.1.2 talks to 128.32.136.9 via a gateway (say
192.168.1.1) each endpoint only sees the MAC address of the nearest
router on that path. In fact, all of the hops on the path need not even
be ethernet, and thus might not have any concept of a MAC address.
The best way to do what you want is probably just to allow ssh from
anywhere. If you know you only want to access it from particular
locations and/or networks, you can add in those specific addresses only,
but I'm guessing that for your purposes, that's trading too much
convenience for too little security.
Another problem is when I run "iptables -L" after stop and
start, >
stop and start what? iptables is not a running daemon.
I got to files for the firewall, one firewall.rules and a script
collecting the rules from that file and enableing ip forwarding. Then I
can: start, stop, restart, list.
I'll get the same result. Is there a way to "flush", or clean up the
rules?
man iptables | less +/flush
done that, the command didn't make any difference.
hahaha! Did you really do that? Let me spell it out for you a bit more. I'm sorry to laugh; I don't mean to make fun, but that's really funny.
at a shell prompt, type in "man iptables | less +/flush"
hit enter
DON'T hit 'q' until you figure out how to flush a chain.
If you need a hint, read the paragraph below one more time.
(the answer is '-F'). But really, these are precisely the type of
questions that the man page can answer for you in a few seconds. Give
it a try.
the command "man iptables | less +/flush" is how you read the man page.
Piping the manpage into "less +/flush" tells less to search for "flush".
So you should now be looking at the iptables man page, right at the
section that documents the command to flush a chain. Read it!
good times,
Vineet