Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPTABLES: need to grant certain IP address full access

Status
Not open for further replies.
stevenriz

stevenriz

IS-IT--Management
May 21, 2001
1,069
Hi, this is an IPTABLES question. We have a simple config shown below. I'd like to add a couple ipaddresses that will have full access to all ports in the system. I added this
-A INPUT -s 66.238.208.110/32 -d pub.lic.ip.add/32 -i eth0 -p tcp -m tcp --dport 1:65301 -j ACCEPT

to the config like so to no avail. Here is the entire config... What do you think?

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -s ip.add.to.add/32 -d ser.ver.ip.add/32 -i eth0 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

 
Sort by date Sort by votes
Move your lie above the "-A INPUT -j RH-Firewall-1-INPUT" line. Better yet, put your line into the RH-Firewall-1-INPUT chain above the "-j REJECT" line.

 
Upvote 0 Downvote
I don't think that rule is sufficient. I'm by no means an iptables expert, but this is what I use:

Code: 
-A INPUT -s MYIPADDRESS -m state --state NEW -j ACCEPT 
-A FORWARD -s MYIPADDRESS -m state --state NEW -j ACCEPT 
-A OUTPUT -s MYIPADDRESS -m state --state NEW -j ACCEPT

Also note that not specifying the port range leaves it open to any.
 
Upvote 0 Downvote
I noticed that and renamed my line and all worked... I see now that INPUT was renamed to RH-Firewall........blablabla.... I think I have it now....
 
Upvote 0 Downvote
thanks lgarner, thanks eric... I will try both ways, eric's way is three lines to one but the lines have less parameters in them. I will tend to bet they are negotiable in performance....
 
Upvote 0 Downvote
Well, they go in three different chains, INPUT, OUTPUT and FORWARD. INPUT is mandatory, OUTPUT is probably covered by a more general rule and FORWARD is only necessary if you're routing for a network.

I think your initial problem was the ordering, which you've fixed.
 
Upvote 0 Downvote
Yes, I would just leave the port off if you want all traffic incoming from that address. The main thing is to make sure that the desired traffic is ACCEPTed before it's REJECTed.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
354
spamjim
spamjim
malpa
  • Locked
  • Question
block incoming snmp traps from ip
Replies
1
Views
275
malpa
malpa
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
268
daniel.warner
daniel.warner
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
165
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
219
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top