[H-GEN] IPTables problem
Robert Brockway
robert at timetraveller.org
Mon Jul 19 01:52:58 EDT 2004
On Mon, 19 Jul 2004, Harry Phillips wrote:
> MYIP="xxx.xxx.xxx.xxx"
> EXT_IF="192.168.1.4"
> iptables -A INPUT -i $EXT_IF -s $MYIP -p tcp --syn --destination-port 22
> -j ACCEPT
> $IPTABLES -A INPUT -i $EXT_IF -j DROP
>
> It still allows *anyone* to connect to port 22 on the IP address
> 192.168.1.4, why? Is it because the second IP is just an alias?
Hi Harry. The switch -i is for an interface not an IP address, so you
would use eth0 or eth0:0. I'm surprised you are not getting an error on
this.
If you have the appliance redirecting packets to a particular address on
the Linux box (192.168.1.4 in this case) then that is the only address the
Linux box will see external packets arriving too (destination address).
Try this:
MYIP="xxx.xxx.xxx.xxx"
EXT_IF=eth0
$IPTABLES -A INPUT -p tcp --syn -i $EXT_IF -s $MYIP --dport 22 -j ACCEPT
I would not bother with -i in this case but I've left it in to illustrate
the point.
Note: This is untested.
Rob
--
Robert Brockway B.Sc. email: robert at timetraveller.org, rbrockway at uqconnect.net
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah
More information about the General
mailing list