Hi,

I am very new to iptables.

Here is what I want. I have a redhat 9 server. I want the following two constraints on it at the same time

1- Blokk all services/ports except SSH and ftp, both should be available to any one any where in the world.
+
2-The following hosts can access all ports/services.
192.168.1.19
192.168.1.20
192.168.1.21

One more thing. How would I specify mac addresses instead of the ip addresses in the above number 2. I would like to play with both options.

Please accept my thanks in advance.

Regards.

RA.

Welcome to LQ!

Actually, that isn't that hard to do. Start off by denying everything:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then start allowing stuff in:

#SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow a specific IP to access everything
iptables -A INPUT -s 192.168.1.19 -j ACCEPT
#Do it for a MAC address
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01 -j ACCEPT

A few things to remember as well:
You're going to need to set some OUTPUT rules as well. Usually, limiting those to ESTABLISHED and RELATED states works OK. Also, remember that the rules are executed IN ORDER and iptables stops at the first rule that matches the packet. That can mean that even if the rules are correct, you may not be getting the desired behavior because they are in the wrong order. Finally, remember that filtering on a MAC address is only going to work for computers connected to your LAN directly. MAC addresses get stripped when they travel the Internet.

And be sure to have a good, long read at FrozenTux