Kevin D. McAllister on Mon, 30 Jul 2001 08:40:05 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] TCP/IP netmask question 

Eric,

I believe your assumption is absolutely correct.  The /32 or a netmask of
255.255.255.255 should match one single address, and this is exactly the
type of notation I use for denying a single address automatically whith
portsentry.

However I would suggest an alternate configuration, you can keep your
rule for the larger 10.0.0.0/8 network to MASQ, and then simply add a DENY
rule for a specific IP when someone doesn't pay up on time.  This may keep
your configuration easier to read.  This also will drop the packets from
this machine on the input chain, rather than allowing it to get to the
forward chain which will save some processing.  Also in your suggested
configuration your machine may just forward the packet out with the
10.1.1.x address on it if you don't have a MASQ rule for that specific
address which is certainly not the desired result.

good luck,
Kevin

On Sat, 28 Jul 2001, Eric Cunningham wrote:

> Hey all,
> 
> This is more of a general networking question but since this is on a
> linux box I feel somewhat justified in asking...
> 
> I have a 10.1.1.x network with a 255.0.0.0 netmask supporting a number
> of users.  Not all of our users are good about paying up on time so I'd
> like to rewrite the ipchains script to only allow access to the outside
> from specific IP addresses.  From the IP masq Howto I see that to allow
> the entire network, I'd run a line like this:
> 
> /sbin/ipchains -A forward -i eth0 -j MASQ
> 
> ...which we have now and works fine.
> 
> And to allow from only specific IPs, I'd run this:
> 
> /sbin/ipchains -A forward -i eth0 -s 10.1.1.x/32 -j MASQ
> 
> ...repeat for each allowed IP.
> 
> The question is the netmask /32   Is this right?  For a class A network,
> a netmask is typically a /8 but then that would again allow everyone. 
> So by using a /32, I'm using a more precise 32 bit address allowing only
> that IP address, right?
> 
> Just wanted to confirm my thinking before causing massive mayhem.
> 
> Thanks!
> 
> -eric
> 
> 
> 
> ______________________________________________________________________
> Philadelphia Linux Users Group       -      http://www.phillylinux.org
> Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug
> 


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug