Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [SLE] A question for the iptables gurus. :)
- From: Ben Rosenberg <red.kryptonite@xxxxxxxxx>
- Date: Fri, 4 Nov 2005 19:03:15 +0000 (UTC)
- Message-id: <e8fb47930511041103h63a9b9f1le952d61cc6e3b303@xxxxxxxxxxxxxx>
On 11/4/05, Ian Marlier <ian.marlier@xxxxxxxxxxxxxxxxxxx> wrote:
>
>
> >> I'm trying to write some iptables rules so that I can let someone
> >> telnet to machines on a 10.0.0.0 <http://10.0.0.0> network but not
> allow them to telnet
> >> anywhere else.. effectively blocking outbound telnet to ANYTHING
> >> except the machines on the 10.0.0.0 <http://10.0.0.0> network. I
> thought I had it but I
> >> guess I don't. The rules are as follows...
> >>
> >> # allow outgoing telnet traffic
> >> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j
> >> ACCEPT
> >> # block all other outgoing telnet traffic
> >> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
> >>
> >> This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and
> >> eth2 is the first port on card 2.
> >
> > Right idea, but I think what you're actually looking for is the OUTPUT
> > chain...could be wrong on that, though.
> >
> > Regardless: the default policy for the base iptables chains is ACCEPT,
> so
> > I'd narrow it down to a single rule by doing:
> >
> > `iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 <http://10.0.0.0/8>--dport 23 -j DROP`
> >
> > (If that doesn't work, then I was wrong about the output chain, and so
> try
> > it with the FORWARD chain instead.)
>
> Well, I get this error when using the rule you posted.
orson:~ # iptables -A OUTPUT -p TCP -i eth2 -d !
10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j DROP
iptables v1.2.8: Can't use -i with OUTPUT
I wandered through the man page and I thought that the " -i " might need to
be " -o " instead but that didn't work either. I'm not that good with
iptables because 99% of the time I use ipfw under Solaris and the syntax is
much different and quite a bit more simple. If you or anyone who reads this
have ideas. I'm open to them.
-Ben
--
Atheism is a non-prophet organization.
>
>
> >> I'm trying to write some iptables rules so that I can let someone
> >> telnet to machines on a 10.0.0.0 <http://10.0.0.0> network but not
> allow them to telnet
> >> anywhere else.. effectively blocking outbound telnet to ANYTHING
> >> except the machines on the 10.0.0.0 <http://10.0.0.0> network. I
> thought I had it but I
> >> guess I don't. The rules are as follows...
> >>
> >> # allow outgoing telnet traffic
> >> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j
> >> ACCEPT
> >> # block all other outgoing telnet traffic
> >> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
> >>
> >> This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and
> >> eth2 is the first port on card 2.
> >
> > Right idea, but I think what you're actually looking for is the OUTPUT
> > chain...could be wrong on that, though.
> >
> > Regardless: the default policy for the base iptables chains is ACCEPT,
> so
> > I'd narrow it down to a single rule by doing:
> >
> > `iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 <http://10.0.0.0/8>--dport 23 -j DROP`
> >
> > (If that doesn't work, then I was wrong about the output chain, and so
> try
> > it with the FORWARD chain instead.)
>
> Well, I get this error when using the rule you posted.
orson:~ # iptables -A OUTPUT -p TCP -i eth2 -d !
10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j DROP
iptables v1.2.8: Can't use -i with OUTPUT
I wandered through the man page and I thought that the " -i " might need to
be " -o " instead but that didn't work either. I'm not that good with
iptables because 99% of the time I use ipfw under Solaris and the syntax is
much different and quite a bit more simple. If you or anyone who reads this
have ideas. I'm open to them.
-Ben
--
Atheism is a non-prophet organization.
| < Previous | Next > |