Eric Cunningham on Tue, 31 Jul 2001 09:20:08 -0400 |
Kevin, Thanks for the input. I think I will take your advice and use a DENY rather then simply removing them from the list of forwarding IPs. However, I've also had problems with various people randomly picking IP addresses at will. I'm hoping to crack down on this as well. In regards to my machine forwarding packets without masquerading, the first line of my script which I hadn't previously mentioned is: /sbin/ipchains -P forward DENY which should by default deny everything that isn't negated later in the script I believe. Thanks again! -eric > > Eric, > > I believe your assumption is absolutely correct. The /32 or a netmask of > 255.255.255.255 should match one single address, and this is exactly the > type of notation I use for denying a single address automatically whith > portsentry. > > However I would suggest an alternate configuration, you can keep your > rule for the larger 10.0.0.0/8 network to MASQ, and then simply add a DENY > rule for a specific IP when someone doesn't pay up on time. This may keep > your configuration easier to read. This also will drop the packets from > this machine on the input chain, rather than allowing it to get to the > forward chain which will save some processing. Also in your suggested > configuration your machine may just forward the packet out with the > 10.1.1.x address on it if you don't have a MASQ rule for that specific > address which is certainly not the desired result. > > good luck, > Kevin > > On Sat, 28 Jul 2001, Eric Cunningham wrote: > > > Hey all, > > > > This is more of a general networking question but since this is on a > > linux box I feel somewhat justified in asking... > > > > I have a 10.1.1.x network with a 255.0.0.0 netmask supporting a number > > of users. Not all of our users are good about paying up on time so I'd > > like to rewrite the ipchains script to only allow access to the outside > > from specific IP addresses. From the IP masq Howto I see that to allow > > the entire network, I'd run a line like this: > > > > /sbin/ipchains -A forward -i eth0 -j MASQ > > > > ...which we have now and works fine. > > > > And to allow from only specific IPs, I'd run this: > > > > /sbin/ipchains -A forward -i eth0 -s 10.1.1.x/32 -j MASQ > > > > ...repeat for each allowed IP. > > > > The question is the netmask /32 Is this right? For a class A network, > > a netmask is typically a /8 but then that would again allow everyone. > > So by using a /32, I'm using a more precise 32 bit address allowing only > > that IP address, right? > > > > Just wanted to confirm my thinking before causing massive mayhem. > > > > Thanks! > > > > -eric > > ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|