Ipchain syntax question
der.hans
PLUGd@LuftHans.com
Wed, 21 Mar 2001 10:29:30 -0700 (MST)
Am 21. Mar, 2001 schwäzte David Demland so:
> I need to allow a single IP in my firewall to a single computer on my
> internal class C network. What is the syntax for ipchain to do this? Here is
> the example:
>
> 555.555.555.555 needs access to only 192.168.1.1 port 5555
Do you mean you want to port forward to 5555 on 192.168.1.1 from a host
out on the net? I think that's what you mean and will base my answer on it
:). I also presume you mean tcp.
net_ip=555.555.555.555
fw_ip=<firewall's external IP>
int_host=192.168.1.1
ipchains -N ext-in
ipchains -A input -i $fw_ip -j ext-in
ipchains -A ext-in -j ACCEPT -p TCP -s $net_ip/32 -d $fw-ip/32 5555
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L $fw_ip 5555 -R $int_host 5555
Didn't try this out. Mostly cutting and pasting from my setup, but that
should be most of what you need.
If you want to specifically ban $net_ip from everything else, then add
these lines after the ACCEPT line.
ipchains -A ext-in -j DENY -p TCP -s $net_ip/32 -d $fw-ip/32
ipchains -A ext-in -j DENY -p UDP -s $net_ip/32 -d $fw-ip/32
ipchains -A ext-in -j DENY -p ICMP -s $net_ip/32 -d $fw-ip/32
ciao,
der.hans
--
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.YourCompanyHere.net ;-)
# Motorraeder toeten nicht. Motorraeder werden getoetet.