[PLUG] iptables redux
Roderick A. Anderson
raanders at acm.org
Tue Aug 17 15:34:02 UTC 2004
On Tue, 17 Aug 2004, Wil Cooley wrote:
> > Do deny/drop/reject rules come before or after the accept rules.
>
> Rules are explicitly ordered in the chains. So:
> 1. Accept the IP addresses you want to allow
> 2. Deny the rest
So if I understand this correctly, on one of my RHL systems, if I have
these lines in the /etc/sysconfig/iptables
-A RH-Lokkit-0-50-INPUT -s 1.2.3.0/255.255.255.0 -p tcp --dport 22 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 4.5.6.7/255.255.255.255 -p tcp --dport 22 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 22 -j REJECT
Will allow the C-Class 1.2.3.0 in as well as the single IP 4.5.6.7 and all
the rest of network gets rejected. While off doing something else for a
bit Rich mentioned doing a deny first then the allows.
Rod
--
"Open Source Software - You usually get more than you pay for..."
"Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL"
More information about the PLUG
mailing list