Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [SLE] A question for the iptables gurus. :)
- From: Ian Marlier <ian.marlier@xxxxxxxxxxxxxxxxxxx>
- Date: Fri, 4 Nov 2005 13:00:23 +0000 (UTC)
- Message-id: <BF90C594.2DF89%ian.marlier@xxxxxxxxxxxxxxxxxxx>
> From: Ben Rosenberg <red.kryptonite@xxxxxxxxx>
> Date: Thu, 3 Nov 2005 20:44:02 -0800
> To: sle <suse-linux-e@xxxxxxxx>
> Subject: [SLE] A question for the iptables gurus. :)
>
> I'm trying to write some iptables rules so that I can let someone
> telnet to machines on a 10.0.0.0 network but not allow them to telnet
> anywhere else.. effectively blocking outbound telnet to ANYTHING
> except the machines on the 10.0.0.0 network. I thought I had it but I
> guess I don't. The rules are as follows...
>
> # allow outgoing telnet traffic
> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8 --dport 23 -j
> ACCEPT
> # block all other outgoing telnet traffic
> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
>
> This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and
> eth2 is the first port on card 2.
Right idea, but I think what you're actually looking for is the OUTPUT
chain...could be wrong on that, though.
Regardless: the default policy for the base iptables chains is ACCEPT, so
I'd narrow it down to a single rule by doing:
`iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP`
(If that doesn't work, then I was wrong about the output chain, and so try
it with the FORWARD chain instead.)
> Date: Thu, 3 Nov 2005 20:44:02 -0800
> To: sle <suse-linux-e@xxxxxxxx>
> Subject: [SLE] A question for the iptables gurus. :)
>
> I'm trying to write some iptables rules so that I can let someone
> telnet to machines on a 10.0.0.0 network but not allow them to telnet
> anywhere else.. effectively blocking outbound telnet to ANYTHING
> except the machines on the 10.0.0.0 network. I thought I had it but I
> guess I don't. The rules are as follows...
>
> # allow outgoing telnet traffic
> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8 --dport 23 -j
> ACCEPT
> # block all other outgoing telnet traffic
> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
>
> This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and
> eth2 is the first port on card 2.
Right idea, but I think what you're actually looking for is the OUTPUT
chain...could be wrong on that, though.
Regardless: the default policy for the base iptables chains is ACCEPT, so
I'd narrow it down to a single rule by doing:
`iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP`
(If that doesn't work, then I was wrong about the output chain, and so try
it with the FORWARD chain instead.)
| < Previous | Next > |