| [ Team LiB ] |
|
Recipe 2.10 Blocking Remote Access, but Permitting Local2.10.1 ProblemYou want only local users to access a TCP service; remote requests should be denied. 2.10.2 SolutionPermit connections via the loopback interface and reject all others. # iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT # iptables -A INPUT -p tcp --dport service -j REJECT For ipchains: # ipchains -A input -p tcp -i lo --dport service -j ACCEPT # ipchains -A input -p tcp --dport service -j REJECT Alternatively, you can single out your local IP address specifically: For iptables: # iptables -A INPUT -p tcp ! -s your_IP_address --dport service -j REJECT For ipchains: # ipchains -A input -p tcp ! -s your_IP_address --dport service -j REJECT Depending on your shell, you might need to escape the exclamation point. 2.10.3 DiscussionThe local IP address can be a network specification, of course, such as a.b.c.d/N. You can permit an unrelated set of machines to access the service but reject everyone else, like so: For iptables: # iptables -A INPUT -p tcp -s IP_address_1 --dport service -j ACCEPT # iptables -A INPUT -p tcp -s IP_address_2 --dport service -j ACCEPT # iptables -A INPUT -p tcp -s IP_address_3 --dport service -j ACCEPT # iptables -P INPUT -j REJECT For ipchains: # ipchains -A input -p tcp -s IP_address_1 --dport service -j ACCEPT # ipchains -A input -p tcp -s IP_address_2 --dport service -j ACCEPT # ipchains -A input -p tcp -s IP_address_3 --dport service -j ACCEPT # ipchains -P input -j REJECT 2.10.4 See Alsoiptables(8), ipchains(8). Chapter 3 covers diverse, non-firewall approaches to block incoming service requests.  |
| [ Team LiB ] |
|