HELP, Need quick iptables rules

I'm a newbie to iptables and need quick iptables rules that say any
node can connect inbound to the linux server from subnets
192.168.1.0/24 and 192.168.2.0/24 to port 8000 via TCP, and deny all
other networks.

Any help is greatly appreciated! Thanks...

-akak

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> On Tue, 15 Jan 2008 00:18:45 -0800 (PST), (E-Mail Removed) said:

akak01000101> I'm a newbie to iptables and need quick iptables rules that say any
akak01000101> node can connect inbound to the linux server from subnets
akak01000101> 192.168.1.0/24 and 192.168.2.0/24 to port 8000 via TCP, and deny all
akak01000101> other networks.

/sbin/iptables -A INPUT --src-host 192.168.1.0/24 -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -A INPUT --src-host 192.168.2.0/24 -p tcp --dport 8000 -j ACCEPT

HTH
- --
Ashish Shukla आशीष श�क�ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHjLoOHy+EEHYuXnQRAhTsAJ9+2Tp/KGOpYl/KNBTfBly68LcAQACglbAK
lBQEpPD39f/OhQvnO/CL6ow=
=H2gN
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "आशीष" == Ashish Shukla आशीष श�क�ल <(E-Mail Removed)> writes:
>>>>> On Tue, 15 Jan 2008 00:18:45 -0800 (PST), (E-Mail Removed) said:

akak01000101> I'm a newbie to iptables and need quick iptables rules that say any
akak01000101> node can connect inbound to the linux server from subnets
akak01000101> 192.168.1.0/24 and 192.168.2.0/24 to port 8000 via TCP, and deny all
akak01000101> other networks.

Forgot to mention deny rule.

आशीष> /sbin/iptables -A INPUT --src-host 192.168.1.0/24 -p tcp --dport 8000 -j ACCEPT
आशीष> /sbin/iptables -A INPUT --src-host 192.168.2.0/24 -p tcp --dport 8000 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 8000 -j DROP

HTH
- --
Ashish Shukla आशीष श�क�ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHjNAqHy+EEHYuXnQRAiFuAJ49WXX7YIqiEVLKDhIk8V qVtJ1oIgCgupD5
onFhmfXFu/gZIV//0MSGkEk=
=tIk1
-----END PGP SIGNATURE-----

On Jan 15, 5:24 pm, wahj...@gmail.com (Ashish Shukla आशीष श�क�ल)
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >>>>> "आशीष" == Ashish Shukla आशीष श�क�ल<wahj...@gmail.com> writes:
> >>>>> On Tue, 15 Jan 2008 00:18:45 -0800 (PST), akak01000...@gmail.com said:
>
> akak01000101> I'm a newbie to iptables and need quick iptables rules that say any
> akak01000101> node can connect inbound to the linux server from subnets
> akak01000101> 192.168.1.0/24 and 192.168.2.0/24 to port 8000 via TCP, and deny all
> akak01000101> other networks.
>
> Forgot to mention deny rule.
>
> आशीष> /sbin/iptables -A INPUT --src-host 192.168.1.0/24 -p tcp --dport 8000 -j ACCEPT
> आशीष> /sbin/iptables -A INPUT --src-host 192.168.2.0/24 -p tcp --dport 8000 -j ACCEPT
>
> /sbin/iptables -A INPUT -p tcp --dport 8000 -j DROP
>
> HTH
> - --
> Ashish Shukla आशीष श�क�ल http://wahjava.wordpress.com/
> ·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHjNAqHy+EEHYuXnQRAiFuAJ49WXX7YIqiEVLKDhIk8V qVtJ1oIgCgupD5
> onFhmfXFu/gZIV//0MSGkEk=
> =tIk1
> -----END PGP SIGNATURE-----

-But be careful where to put these rules. they may not work if there
any other rules before them may block the traffic for example,so
beware,and you may input them as first rules so no other earlier rule
can affect them. So some times don't use -A and use -I with arule
number like
/sbin/iptables -I INPUT 1 -s 192.168.1.0/24 -p tcp --dport 8000 -j
ACCEPT
/sbin/iptables -I INPUT 2 -s 192.168.2.0/24 -p tcp --dport 8000 -j
ACCEPT
/sbin/iptables -I INPUT 3 -p tcp --dport 8000 -j DROP
And then don't forget to store the new rules you added. So you don't
lose them when you restart your system.
wishes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(E-Mail Removed) wrote:
| I'm a newbie to iptables and need quick iptables rules that say any
| node can connect inbound to the linux server from subnets
| 192.168.1.0/24 and 192.168.2.0/24 to port 8000 via TCP, and deny all
| other networks.
|
| Any help is greatly appreciated! Thanks...
|
| -akak

Another word of advice, when you're configuring the firewall. Don't try
to ssh to the firewall box you're trying to configure. As previously
mentioned, you can lockdown the entire computer accidentally, which
boots your ssh session in the process.

a misplaced "iptables -P INPUT DROP" can really fuck your day.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHpIZx9v5kFOkJa9gRAm35AJ9Sb+32TpiuzSOJSEKje1 6YjKCMdACgiNi1
y3PY4/BPufJL6FFjcIgcbXY=
=g6Z+
-----END PGP SIGNATURE-----

"habibielwa7id" <(E-Mail Removed)> wrote in message
news:b3e861dc-ef7e-4dfa-a94d-(E-Mail Removed)...
On Jan 15, 5:24 pm, wahj...@gmail.com (Ashish Shukla ???? ?????)
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >>>>> "????" == Ashish Shukla ???? ????? <wahj...@gmail.com> writes:
> >>>>> On Tue, 15 Jan 2008 00:18:45 -0800 (PST), akak01000...@gmail.com
said:
>
> akak01000101> I'm a newbie to iptables and need quick iptables rules
that say any
> akak01000101> node can connect inbound to the linux server from
subnets
> akak01000101> 192.168.1.0/24 and 192.168.2.0/24 to port 8000 via TCP,
and deny all
> akak01000101> other networks.
>
> Forgot to mention deny rule.
>
> ????> /sbin/iptables -A INPUT --src-host 192.168.1.0/24 -p tcp --dport
8000 -j ACCEPT
> ????> /sbin/iptables -A INPUT --src-host 192.168.2.0/24 -p tcp --dport
8000 -j ACCEPT

Athough the "-p tcp" selects the TCP protocol, don't you also need a "-m
tcp" in order to be able to use the "--dport" option?

> /sbin/iptables -A INPUT -p tcp --dport 8000 -j DROP
>
> HTH

The same question goes for the reply below too:

-But be careful where to put these rules. they may not work if there
any other rules before them may block the traffic for example,so
beware,and you may input them as first rules so no other earlier rule
can affect them. So some times don't use -A and use -I with arule
number like
/sbin/iptables -I INPUT 1 -s 192.168.1.0/24 -p tcp --dport 8000 -j
ACCEPT
/sbin/iptables -I INPUT 2 -s 192.168.2.0/24 -p tcp --dport 8000 -j
ACCEPT
/sbin/iptables -I INPUT 3 -p tcp --dport 8000 -j DROP
And then don't forget to store the new rules you added. So you don't
lose them when you restart your system.
wishes