Subj : Re: IPTables problem
To   : alt.os.linux,alt.linux,comp.os.linux
From : Harry Phillips
Date : Fri Jul 23 2004 12:09 pm

jack wrote:
> 
> 
> Harry Phillips wrote:
> 
>> I do not want any restrictions on the first IP. I have tried to 
>> configure iptables on the server to restrict what hosts can connect to 
>> port 22 on the second IP by using the following rules:
>>
>> MYIP="xxx.xxx.xxx.xxx"
>> EXT_IF="192.168.1.4"
>> iptables -A INPUT -i $EXT_IF -s $MYIP -p tcp --syn --destination-port 
>> 22 -j ACCEPT
>> $IPTABLES -A INPUT -i $EXT_IF -j DROP
>>
>> It still allows *anyone* to connect to port 22 on the IP address 
>> 192.168.1.4, why? Is it because the second IP is just an alias?
> 
> 
> You should use the "-i" option with an IF name, like "eth1:0" or simi-
> lar.

Tried that and it gives this error:

EXT_IF=eth0:0
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).

> If You want to use IP addresses, try "-d $EXT_IF". - Note that You do
> not really refer to any "IF" with "$EXT_IF", but to an IP, so "EXT_IP"
> would be a better name for that variable.

I posted this question to several newsgroups and mailing lists. I 
eventually worked out how to do it and thought I had posted the solution 
I found to here already.

What I did was setup a rule to accept any local connection then drop 
everything else except the IP of my ADSL modem. If you are interested 
the rules I created look like this:

EXT_IP="xxx.xxx.xxx.xxx"
INT_NW="192.168.1.0/24"
IPTABLES="/sbin/iptables"

   $IPTABLES -A INPUT -s $INT_NW -p tcp --syn --dport 22 -j ACCEPT
   $IPTABLES -A INPUT -s ! $EXT_IP -p tcp --syn --dport 22 -j DROP

-- 
Regards,
Harry Phillips

.