On Thu, 2007-08-09 at 18:50 +0000, tony.chamberlain@xxxxxxxxx wrote: > > I read a bit about how you can drop packets with iptables. > I was wondering whether you could do just the opposite, > use iptables to specify only the IPs you will accept from? > > We can't use firewalls, and I don't understand selinux well enough > to know if it will do what we want. we can't really use VPN either. > > Anyone know how to specify in iptables only what to allow? > -- Tony, You surely can use iptables for what you want to do. There are several packages that can help you set up iptables to block, allow, or even route ip addresses. A couple are : shorewall fwbuilder However, I would encourage you to start at the netfileter site: http://www.netfilter.org There are several ways to set up iptables; To close everything and then open up the ip addresses deisred or the ports that are desired for either a range of ip addresses or all ip addresses is one way, or to open up certain features for specific ip addresses or ports and then close everything else. Here is quick example of a small set up for a gateway machine with two nic cards. Make sure you spend the time to study the netfilter site. I never found any study primer for iptables that was as good as the web site. Good Luck Greg *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [11973:2654466] :LOG_ACCEPT - [0:0] :LOG_DROP - [0:0] :Smile-1-INPUT - [0:0] -A FORWARD -j Smile-1-INPUT -A INPUT -j Smile-1-INPUT -A Smile-1-INPUT -i lo -j ACCEPT # Allow only two PC's to use telnet -A Smile-1-INPUT -p tcp -d 10.0.0.### -s 10.0.0.53 --dport 23 -j ACCEPT -A Smile-1-INPUT -p tcp -d 10.0.0.### -s 10.0.0.59 --dport 23 -j ACCEPT -A Smile-1-INPUT -p tcp --dport 23 -j LOG_DROP -A Smile-1-INPUT -s 10.0.0.0/24 -j ACCEPT -A Smile-1-INPUT -s ###.###.###.250 -j ACCEPT -A Smile-1-INPUT -s ###.###.###.251 -j ACCEPT -A Smile-1-INPUT -s ###.###.###.03 -j ACCEPT # Turn ping on for everyone with next line #-A Smile-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A Smile-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A Smile-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A Smile-1-INPUT -p tcp -m state --state NEW -m tcp --dport 123 -j ACCEPT -A Smile-1-INPUT -i eth0 -j LOG_DROP -A Smile-1-INPUT -i eth1 -j LOG_DROP # LOG ACCEPT -A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options -A LOG_ACCEPT -j ACCEPT -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options -A LOG_DROP -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level debug COMMIT *nat :PREROUTING ACCEPT [57:3472] :POSTROUTING ACCEPT [6:572] :OUTPUT ACCEPT [58:8259] -A POSTROUTING -o eth0 -j SNAT --to-source ###.###.###.194 COMMIT
