Ipchain syntax question

der.hans PLUGd@LuftHans.com
Wed, 21 Mar 2001 10:29:30 -0700 (MST)


Am 21. Mar, 2001 schwäzte David Demland so:

> I need to allow a single IP in my firewall to a single computer on my
> internal class C network. What is the syntax for ipchain to do this? Here is
> the example:
> 
> 555.555.555.555 needs access to only 192.168.1.1 port 5555

Do you mean you want to port forward to 5555 on 192.168.1.1 from a host
out on the net? I think that's what you mean and will base my answer on it
:). I also presume you mean tcp.

net_ip=555.555.555.555
fw_ip=<firewall's external IP>
int_host=192.168.1.1

ipchains -N ext-in
ipchains -A input -i $fw_ip -j ext-in
ipchains -A ext-in -j ACCEPT -p TCP -s $net_ip/32 -d $fw-ip/32 5555
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L $fw_ip 5555 -R $int_host 5555

Didn't try this out. Mostly cutting and pasting from my setup, but that
should be most of what you need.

If you want to specifically ban $net_ip from everything else, then add
these lines after the ACCEPT line.

ipchains -A ext-in -j DENY -p TCP -s $net_ip/32 -d $fw-ip/32
ipchains -A ext-in -j DENY -p UDP -s $net_ip/32 -d $fw-ip/32
ipchains -A ext-in -j DENY -p ICMP -s $net_ip/32 -d $fw-ip/32

ciao,

der.hans
-- 
#  der.hans@LuftHans.com   home.pages.de/~lufthans/   www.YourCompanyHere.net ;-)
# Motorraeder toeten nicht. Motorraeder werden getoetet.