tony.chamberlain@xxxxxxxxx wrote on Thursday 09 August 2007: > I read a bit about how you can drop packets with iptables. > I was wondering whether you could do just the opposite, > use iptables to specify only the IPs you will accept from? Of course you can. iptables -P DROP iptables -A INPUT -s <trusted_ip_here> -j ACCEPT This scenario (accepting only specific IP packets) is more secure but also more difficult to setup. The above example sets the default policy for incoming IP packets to DROP, unless you define a rule (in this example the second one) which allows them in. Read this: http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html > We can't use firewalls, and I don't understand selinux well enough > to know if it will do what we want. we can't really use VPN either. I suppose you are mixing things up. A firewall is a dedicated computer which filters packets between the internet and the local net. Some people call a packet filter a "firewall". Selinux is a security patch for the linux kernel which main purpose is to restrict applications' priviledges beyond the simple owner/group/other scheme. VPN stands for Virtual Private Network and stands for a secure tunnel between two (trusted) local nets over the internet. There are several implementations of it, e.g. OpenVPN, IPSec, SSH-IP-Tunneling... All three terms are related but independent. -- Bye, Adalbert A right is not what someone gives you; it's what no one can take from you. -- Ramsey Clark
