The method I'm using is a little different from the FAQ. I defined a
zone called 'wrk', and added the remote IP addresses to that zone in
hosts, something like:
(eth1 is my internet connection) and then put:
wrk all CONTINUE
net all DROP
(in that order - important) in with the other lines in policy. Now I can
write rules like:
# the services we allow to be visible on the internet
ACCEPT net fw tcp smtp
ACCEPT net fw tcp http
# the additional services available only from our workplace
ACCEPT wrk fw tcp ssh
ACCEPT wrk fw tcp pop3
ACCEPT wrk fw tcp imap
And the right things happen. http and smtp are accessible from anywhere
(including work), but shh, pop3 and imap are only accessible from work.
This approach is more complex than necessary if you've only one IP and
one service to worry about (as the FAQ covers), but in my case I had
multiple remote IPs (my workplace and my spouse's) and more than one
service, so I find this easier to understand and maintain.
Kudos to Tom for making something like this so straightforward to
> -----Original Message-----
> From: shorewall-users-bounces@...
> [mailto:shorewall-users-bounces@...] On=20
> Behalf Of Tom Eastep
> Sent: Wednesday, April 23, 2003 7:35 AM
> To: Michael Mansour
> Cc: shorewall-users@...
> Subject: Re: [Shorewall-users] ACCEPTing from specific sites
> On Wed, 23 Apr 2003, Michael Mansour wrote:
> > Hi,
> > I'm wondering how I setup Shorewall to only allow
> > access to ports via a certain IP address?
> > What I mean here is currently I set ACCEPT rules to
> > allow, say, SSH in from the internet (net), but what I
> > really want to do is only accept SSH from ip w.x.y.z
> > How do I set this up in Shorewall?
> This is a FAQ!
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@...
Shorewall-users mailing list