Tim: >>> You can have a default drop rule on all input traffic, then add a couple >>> of specific rules to allow it from your local network, and another to >>> allow it from a specific address. Luc MAIGNAN: >> In fact, isn't what I wrote ? Res: > No, I believe Tim meant a default drop "policy" then the rules you add are > accepts. > > eg: > iptables -P INPUT DROP > iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT > iptables -A INPUT -s special.ip.allowed -j ACCEPT Res is right, that's what I meant, and I think I see the problem in your original rules: >>>> (1) : iptables -I INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT If address is this (above), allow. So far so good. It'll do what you expect. >>>> (2) : iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP If address is not that (above), don't allow. The 192.168. address *also* is not that address, and I think this rule will be processed on top of the prior one. Change the to being one where if it *is* the specific address that you want, to accept it. Then you'll have two accept rules that don't conflict. Alternatively, you could try putting this rule before the other. Your later message about having a default drop policy means that the specific drop rule, above, is redundant, anyway. It's ages since I wrote any complex iptables rules, and always tried to avoid negative logic, especially in combination than other things. If you have different interfaces (e.g. internet on ppp0 and LAN on eth0), it gets easier to treat one differently than the other, but when you have everything through the same interface you have to do it using the addresses. -- (This PC runs FC4, my others FC5 & FC6, in case that's important to the thread) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
