alphaomega Posted May 28, 2007 Share Posted May 28, 2007 (edited) This should work to accomplish what I want right?Am I missing anything?I have a hardware router between my lan webserver and the internet.If I want to say allow a specific ip address from the internet...access the webserver on the lan...I could:1. temporarily configure the router to forward port 80 to the lan webserver.2. on the lan webserver...use iptables to accepttcp traffic with a destination port of 80 from the source ip address.3. on the lan webserver...use iptables to drop all the other tcp traffic with a destination port of 80.Using a shell script...something like this: #!/bin.shiptables -Fiptables -X# allow from a machine on the laniptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 80 -j ACCEPT# allow from a machine on the internetiptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 80 -j ACCEPT# drop the restiptables -A INPUT -p tcp --dport 80 -j DROP Would I need to worry about someone spoofing their source ipand pretending to be from the ip address I want to allow into the webserver?Trying out this configuration...I can access the webserverusing it's lan address in the 192.168 range.Probing my box using grc...shows port 80 as stealth.Now I just need to get this tested from the outside in?Thanks in advance for any information...CheersP.S. And could I not also use something similar...to allow me to access the ssh and proftp daemon...from a remote machine on the internet..(as long as I have the remote machines' ip address so I can configure iptables)? Edited May 28, 2007 by alphaomega Quote Link to comment Share on other sites More sharing options...
sunrat Posted May 28, 2007 Share Posted May 28, 2007 (edited) You could also use grc to check connectivity by allowing their IP temporarily, if you can't just ping from the specified address. Yes you can allow/ deny any service this way.I always use Shorewall to config iptables. It's basically a script with text config files. To allow say, SSH, all you need is "ssh/ACCEPT " in your rules file. However it is powerful and versatile too. The Shorewall site has excellent documentation. Edited May 28, 2007 by sunrat Quote Link to comment Share on other sites More sharing options...
alphaomega Posted May 28, 2007 Author Share Posted May 28, 2007 You could also use grc to check connectivity by allowing their IP temporarily, if you can't just ping from the specified address. duh...slap me with a stupid stick...LOLcheers Quote Link to comment Share on other sites More sharing options...
alphaomega Posted May 28, 2007 Author Share Posted May 28, 2007 I think... I've got it...by temporarily forwarding the ports at the router and...using the following rules with iptables... #!/bin/shiptables -Fiptables -X# allow lan machineiptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 21 -j ACCEPTiptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 22 -j ACCEPTiptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 80 -j ACCEPT# allow specific internet ip iptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 21 -j ACCEPT iptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 80 -j ACCEPT# allow grc iptables -A INPUT -s 4.79.142.192/28 -p tcp --dport 21 -j ACCEPT iptables -A INPUT -s 4.79.142.192/28 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 4.79.142.192/28 -p tcp --dport 80 -j ACCEPT# drop the restiptables -A INPUT -p tcp --dport 21 -j DROPiptables -A INPUT -p tcp --dport 22 -j DROPiptables -A INPUT -p tcp --dport 80 -j DROP Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.