IPTables to restrict an IP address to certain ports

Doug Coats dcoats at heritagemail.org
Fri Mar 18 16:44:21 UTC 2005 

Sorry for not being more exact.

The computer(A) that I want to print from is a Win98 machine.  It is hooked
up to a FC2 box that acts as a file server/router.  The computer (B) with
the printer is on another subnet.  Currently(with no IPTables rules for
restriction) the
computer A can print and has access to all network resources that any other
computer on the network has access to.

I want to restrict, in IPTables, so that computer A can print on computer B
but can only file share and print.

Thanks for you help,

Doug

-----Original Message-----
From: David Hoffman [mailto:dhoffman2004 at gmail.com]
Sent: Friday, March 18, 2005 9:57 AM
To: dcoats at heritagemail.org; For users of Fedora Core releases
Subject: Re: IPTables to restrict an IP address to certain ports


On Fri, 18 Mar 2005 09:00:39 -0600, Doug Coats <dcoats at heritagemail.org>
wrote:
> Hello all,
>
> I need to restrict a computer hooked up to my network so that it can only
> access net-bios ports (137-139 I believe).  I idea is to let them transfer
> files and use network printers but nothing else.  The computer will have a
> set IP address.
>
> Does anyone know what the exact IPTables line would look like to
accomplish
> this.  I have never addressed an issue like this with IPTables.

You also would need port 445 as well. Windows machines using file and
printer sharing use ports 137,138,139, and 445.

I'm not sure about the exact syntax at this time, and without knowing
more details about how your network is set up, I can't guess. It
depends on whether your linux machine is acting as a router between
two networks, or if the machines that your computer needs netbios
access to are on the same network. If they are on the same network,
then traffic would be direct from machine A to machine B, and would
not go through IPTABLES.

If machine A and machine B are on separate networks, routed through
the Linux machine, you would probably want to set rules up on your
INPUT chain.

You would need to set up three rules in your IPTABLES.

Rule 1 says to allow traffic from the source machine with a
destination port of 137:139 to be ALLOWED.
Rule 2 says to allow traffic from the source machine with a
destination port of 445 to be ALLOWED.
Rule 3 says to DENY or REJECT all traffic from the source machine.

Since IPTables rules are effective in the order they are written, Rule
1 or 2 would allow the traffic you need, and rule 3 would prevent any
traffic on any other ports from being accepted.

Hope this information is helpful.

David

More information about the fedora-list mailing list