controlling access to services
Ben Petering
bnptrng at tpg.com.au
Sun Oct 1 01:56:36 CST 2006
Karl Goetz wrote:
> hi all
> I'm hoping to control access to services running on a server. Although
> i hear its not particularly useful, i white listed hosts in
> hosts.allow, and added "all: All" to hosts.deny to block anything else.
> I want the hosts 1, and 10-50 to be able to connect to ssh and tftp,
> and all hosts on the network to connect to dhcp. I'v been looking at
> [1], but i cant seem to extract the info i need to get iptables to
> allow ranges of hosts.
> Any clues?
>
> [1] http://www.debian-administration.org/articles/73
> kk
>
Hi Karl :)
You can use iptables' iprange module to accomplish this.
I think you want something like:
# --- cut here ---
# accept incoming dhcp from any
iptables -A INPUT -p udp --dport bootps -j ACCEPT
# accept incoming ssh from .1, and .10-.50
iptables -A INPUT -p tcp --dport ssh -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m iprange --src-range
192.168.0.10-192.168.0.50 -j ACCEPT
# accept incoming tftp from .1, and .10-.50
iptables -A INPUT -p udp --dport tftp -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p udp --dport tftp -m iprange --src-range
192.168.0.10-192.168.0.50 -j ACCEPT
# --- cut here ---
I would have just gone and fixed this myself, but I'll post it for the
benefit of the list. :)
Caveat emptor: I am no iptables guru, so if I've made a mistake, or
there is a better way to do this, feel free to clobber me with a 2-by-4.
(Or perhaps email the list, and let everyone know! Yeah. I like that one
better. Easier on the old cranium, too.)
--Ben
More information about the linuxsa
mailing list