Re: iptables - how would you do this?
From: SEND NO SPAM (spam_at_dodgeit.com)
Date: Tue, 05 Jul 2005 17:00:11 GMT
> Greetings and Felicitaions,
> We run a linux thin client setup with several servers, and we want two
> of these servers to only accept connections from specific clients. On
> these machines,I have setup the following rules via iptables
> -A INPUT -s 192.168.0.0/255.255.255.0 -j REJECT
> -A INPUT -s 172.24.0.19 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.27 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.28 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.29 -i eth1 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C7:39 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C8:F7 -j ACCEPT
> -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j DROP
> What I think that this should do is
> - reject any connections from the 192.168.0.0 network.
Why REJECT this range specifically? If a IPaddress is not in an accept
it will not be accepted.
> - accept connections from the 4 specified hosts on the 172.24.0.0
> - accept connections from the two specified mac addresses (which are
> thin clients)
Don't Know about this one
> - reject all other DHCP requests.
Your rule is droping all "udp" packets to ports 67 & 68 not rejecting them.
> However the machine is still issuing i/p addresses in reply to a DHCP
> request. How can we prevent this, bearing in mind that the dhcpd must
> be running for the clients that we want to connect to do just that.
Why are you even using dhcp if you are only accepting 6 connections ???
> Martin Woolley
> ICT Support
> Handsworth Grammar School
> Isis Astarte Diana Hecate Demeter Kali Inanna