Re: iptables - how would you do this?

From: SEND NO SPAM (spam_at_dodgeit.com)
Date: 07/05/05


Date: Tue, 05 Jul 2005 17:00:11 GMT

martin.woolley@misys.com wrote:
> Greetings and Felicitaions,
>
> We run a linux thin client setup with several servers, and we want two
> of these servers to only accept connections from specific clients. On
> these machines,I have setup the following rules via iptables
>
> -A INPUT -s 192.168.0.0/255.255.255.0 -j REJECT
> -A INPUT -s 172.24.0.19 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.27 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.28 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.29 -i eth1 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C7:39 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C8:F7 -j ACCEPT
> -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j DROP
>
> What I think that this should do is
> - reject any connections from the 192.168.0.0 network.

Why REJECT this range specifically? If a IPaddress is not in an accept
it will not be accepted.

> - accept connections from the 4 specified hosts on the 172.24.0.0
> network.

OK

> - accept connections from the two specified mac addresses (which are
> thin clients)

Don't Know about this one

> - reject all other DHCP requests.

Your rule is droping all "udp" packets to ports 67 & 68 not rejecting them.

>
> However the machine is still issuing i/p addresses in reply to a DHCP
> request. How can we prevent this, bearing in mind that the dhcpd must
> be running for the clients that we want to connect to do just that.

Why are you even using dhcp if you are only accepting 6 connections ???

>
> Thanks
> --
> Regards
> Martin Woolley
> ICT Support
> Handsworth Grammar School
> Isis Astarte Diana Hecate Demeter Kali Inanna
>