Rick,
it dawned on at 04:30 this morning (don't ask) that you probably want to
tighten this up even more (and simplify it too) by doing the following;
iptables -A INPUT -i ethX -s <IP_addr_of_host_B> -m multiport -p tcp
--dport www,ssh -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o ethX -d <IP_addr_of_host_B> -j ACCEPT
iptables -A OUTPUT -j DROP
Just be aware that the two drop statements now prevent host A talking to
any machine other than host B and only over ethX. So if ethX ever
fails, you're screwed. And if you don't want host A initiating calls,
change line 3 above back to include '-m state --state RELATED,ESTABLISHED'
------------------------------------------------------------------------
Kind Regards
Kyle
r...@greyheads.net wrote:
Kyle apologies for the top posting - mail2web is a bit dumb as this.
Do you mean that the script should look like this
iptables -A INPUT -m state --state NEW -m multiport -p tcp --dport
www,ssh -i ethX -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o ethX -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o ethX -j DROP
Can you have two -m statements on the one line?
Regards,
Rick
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
