Preston Crawford
2006-Jan-31 22:45 UTC
[CentOS] Easy way to reject all incoming packets except from certain IPs?
Is there an easy way to reject all incoming packets except those that come from certain IPs? I can't find any way via iptables or via the GUI provided with CentOS (or another GUI for CentOS) without having to resort to Shorewall. It's fine if the answer is "go with Shorewall". I just didn't want to have to become a Shorewall expert for this really small task. Any help/advice on this is appreciated. Am I missing an easier way? Preston -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060131/e94537ee/attachment-0005.html>
Troy Engel
2006-Feb-01 00:38 UTC
[CentOS] Easy way to reject all incoming packets except from certain IPs?
Preston Crawford wrote:> Is there an easy way to reject all incoming packets except those that > come from certain IPs? I can't find any way via iptables or via the GUISee this great iptables example: http://oceanpark.com/notes/firewall_example.html In your case it'll be a whole lot simpler, all you'll need are the initial drop rules for all traffic, then a rule or two to allow XYZ ip in. -te pseudo: iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -F INPUT iptables -F OUTPUT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # your IPs below iptables -A INPUT -i eth0 -s x.y.z.s/32 -j ACCEPT -- Troy Engel | Systems Engineer Fluid, Inc | http://www.fluid.com
hkclark at gmail.com
2006-Feb-02 03:39 UTC
[CentOS] Easy way to reject all incoming packets except from certain IPs?
On 1/31/06, Preston Crawford <preston.crawford at gmail.com> wrote:> > Is there an easy way to reject all incoming packets except those that come > from certain IPs? I can't find any way via iptables or via the GUI provided > with CentOS (or another GUI for CentOS) without having to resort to > Shorewall. It's fine if the answer is "go with Shorewall". I just didn't > want to have to become a Shorewall expert for this really small task. > > Any help/advice on this is appreciated. Am I missing an easier way? > > PrestonIf the only thing you want to do is filter a limited number of IPs, Troy's example will work great. But if you want other features in an easy-to-manage package, it might be worth checking out APF at: http://www.rfxnetworks.com/apf.php I have been using it for a while... it has a lot of nice features (rate limiting of some traffic, logging, etc.) and makes it really easy to manage allow lists, block lists, and multiple IP addresses on the box. I'm not aware of an RPM-based version, but the tarball install sticks everything in /etc/apf, so it's easy to remove if you want to. Take care, K -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060201/6754b7c5/attachment-0002.html>