Re: iptables - how would you do this?

Date: 07/05/05

Date: Tue, 05 Jul 2005 17:00:11 GMT wrote:
> Greetings and Felicitaions,
> We run a linux thin client setup with several servers, and we want two
> of these servers to only accept connections from specific clients. On
> these machines,I have setup the following rules via iptables
> -A INPUT -s -i eth1 -j ACCEPT
> -A INPUT -s -i eth1 -j ACCEPT
> -A INPUT -s -i eth1 -j ACCEPT
> -A INPUT -s -i eth1 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C7:39 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C8:F7 -j ACCEPT
> -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j DROP
> What I think that this should do is
> - reject any connections from the network.

Why REJECT this range specifically? If a IPaddress is not in an accept
it will not be accepted.

> - accept connections from the 4 specified hosts on the
> network.


> - accept connections from the two specified mac addresses (which are
> thin clients)

Don't Know about this one

> - reject all other DHCP requests.

Your rule is droping all "udp" packets to ports 67 & 68 not rejecting them.

> However the machine is still issuing i/p addresses in reply to a DHCP
> request. How can we prevent this, bearing in mind that the dhcpd must
> be running for the clients that we want to connect to do just that.

Why are you even using dhcp if you are only accepting 6 connections ???

> Thanks
> --
> Regards
> Martin Woolley
> ICT Support
> Handsworth Grammar School
> Isis Astarte Diana Hecate Demeter Kali Inanna