I have 5 public IP''s I would like to allow. Seems the games my wife plays uses 2000 different ports to do its thing and I don''t want to have to open that large of a range. The sites help suggests opening 5 IP''s: 153.128.250.0.. <these are examples since I don''t 153.128.251.0 have the list available> 153.128.252.0 153.128.253.0 If tried a rule like: ACCEPT loc net:153.12.250.0 tcp http with no luck. I know it being blocked since the DROP occurs on the loc2net chain. on various dest ports. I also looked at the whitelisting option on the website and it didn''t seem to be what I was looking for, but perhaps I didn''t understand it fully. My System is: RH 7.2 Kernel 2.4.21 Iptables 1.2.8 Shorewall 1.4.7a Any hints would be appreciated. thanks. Kev
On Fri, 2003-10-31 at 11:13, Kevin Smith wrote:> I have 5 public IP''s I would like to allow. Seems the games my wife plays > uses 2000 different ports to do its thing and I don''t want to have to open > that large of a range. The sites help suggests opening 5 IP''s: > 153.128.250.0.. <these are examples since I don''t > 153.128.251.0 have the list available> > 153.128.252.0 > 153.128.253.0 > If tried a rule like: > > ACCEPT loc net:153.12.250.0 tcp http > > > with no luck. I know it being blocked since the DROP occurs on the loc2net > chain. on various dest ports.So you have replaced the normal loc->net ACCEPT policy with something else? If not, then you had better look again at your logs because none of the sample configurations will DROP anything in the loc2net chain.> I also looked at the whitelisting option on the website and it didn''t seem > to be what I was looking for, but perhaps I didn''t understand it fully.You could use that technique but until we understand more about your network setup (and what your policies look like), we can''t advise you in any detail. In particular, we need to know if you use SNAT/Masquerade, straight routing, Proxy ARP, Static NAT, ??? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
on Fri, 2003-10-31 at 11:13, Kevin Smith wrote:>> I have 5 public IP''s I would like to allow. Seems the games my wife plays >> uses 2000 different ports to do its thing and I don''t want to have toopen>> that large of a range. The sites help suggests opening 5 IP''s: >> 153.128.250.0.. <these are examples since I don''t >> 153.128.251.0 have the list available> >> 153.128.252.0 >> 153.128.253.0 >> If tried a rule like: >> >> ACCEPT loc net:153.12.250.0 tcp http >> >> >> with no luck. I know it being blocked since the DROP occurs on theloc2net>> chain. on various dest ports.>So you have replaced the normal loc->net ACCEPT policy with something >else? If not, then you had better look again at your logs because none >of the sample configurations will DROP anything in the loc2net chain.-- Nope, I simply added the above rule to allow that IP. I run it with loc->net as DROP. This should cause it to act as I said. I decided to go with that policy due to paranoia. The thing is, when it connects, it uses a ton of dest ports. The website suggested use open the IP''s (which I don''t like) instead of the ports since it uses a huge range.>> I also looked at the whitelisting option on the website and it didn''tseem>> to be what I was looking for, but perhaps I didn''t understand it fully.>You could use that technique but until we understand more about your >network setup (and what your policies look like), we can''t advise you in >any detail. In particular, we need to know if you use SNAT/Masquerade, >straight routing, Proxy ARP, Static NAT, ???>-Tom--- My setup is based on your 2 interface example, 1 server 3 w98se clients Nat''d so that all can access the net via my dialup line. The only thing is ony one machine (10.0.0.3) needs to have access to these ips. ------------------------------
On Mon, 3 Nov 2003, Kevin Smith wrote:> > > > on Fri, 2003-10-31 at 11:13, Kevin Smith wrote: > >> I have 5 public IP''s I would like to allow. Seems the games my wife plays > >> uses 2000 different ports to do its thing and I don''t want to have to > open > >> that large of a range. The sites help suggests opening 5 IP''s: > >> 153.128.250.0.. <these are examples since I don''t > >> 153.128.251.0 have the list available> > >> 153.128.252.0 > >> 153.128.253.0 > >> If tried a rule like: > >> > >> ACCEPT loc net:153.12.250.0 tcp http > >> > >> > >> with no luck. I know it being blocked since the DROP occurs on the > loc2net > >> chain. on various dest ports. > > >So you have replaced the normal loc->net ACCEPT policy with something > >else? If not, then you had better look again at your logs because none > >of the sample configurations will DROP anything in the loc2net chain. > > -- > > Nope, I simply added the above rule to allow that IP. I run it with loc->net > as DROP. > This should cause it to act as I said. I decided to go with that policy due > to paranoia. > The thing is, when it connects, it uses a ton of dest ports. The website > suggested use open the IP''s (which I don''t like) instead of the ports since > it uses a huge range. >Well, when you decide what you have done, please let us know. I asked you if you had changed to loc->net ACCEPT policy; you said "Nope". Then we get two totally baffling statements: a) "I simply added the above rule to allow that IP." - What your rule does is allow HTTP connections to that IP. So that''s good if your wife is trying to browse a web site at 153.12.250.0 but that''s all the rule will do. b) "I run it with loc->net as DROP". I have no idea what this refers to. If you hadn''t answered "Nope" to my question, I would have thought that you were referring to the loc->net policy but ??? Given this contradictory information, I must try to guess what''s going on: a) I suspect that you have in fact changed to normal loc->net ACCEPT policy to DROP. b) If so, you need to add: ACCEPT loc net:153.128.250.0 all ACCEPT loc net:153.128.251.0 all ... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net