iptables

[Patrick Derwael]

It looks like I need to rephrase my needs:

I have a segment with 9 IPs (x.y.z.211-219).
There may be no connection restriction between all those machines (all
ports authorized)

x.y.z.219 must be able to sent packets to the Net, and of course the
returning packets must be allowed to reach the sender (219) back. I can't
see the use to send packets out, if the sender can't get the answer
back...
With the current setup, the returning packets are dropped

Question : how can I setup iptables in order to accept the returning
packets if the connection has been started by x.y.z.219 (not if the
connection is attempted from outside the authorized range) ?

To put it differently, if I'm logged on the x.y.z.219, I must be able to
surf to any website without entering the website's IP in iptables
beforehand.

I hope this clearer !!

On Fri, September 15, 2006 4:14 pm, Chiu, PCM \(Peter\) said:
> Patrick,
>
>>I've added my DNS & GW, and I can connect from anywhere within the
> allowed range, I also can get out to the Net, but...
>
>>This setup prevents any returning packet from the Net to get in...
>
> I thought that is precisely the way you want:
>    "I need some help with iptables. I'm trying to block every access to
> one
>    RHEL4 box (x.y.z.218), except from 9 IPs (x.y.z.211-219).
>    Every port from the allowed range should reach x.y.z.218"
>
> ie. restrict access only to your 9 machines and no one else.
>
> If there is another (internal/external) host/network you need to access,
> just add that to the accept list.
>
> This way, you have precise control where users can get in from and get
> out.
> Even if hackers manage to break in, they cannot do a general probe to
> other machines.
>
> Peter