From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-48293-garchives=archives.gentoo.org@gentoo.org>)
	id 1GBRRd-0003k4-Eg
	for garchives@archives.gentoo.org; Fri, 11 Aug 2006 07:28:37 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k7B7QNk5032065;
	Fri, 11 Aug 2006 07:26:23 GMT
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187])
	by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k7B7OHJM011216
	for <gentoo-user@lists.gentoo.org>; Fri, 11 Aug 2006 07:24:18 GMT
Received: by nf-out-0910.google.com with SMTP id a25so838441nfc
        for <gentoo-user@lists.gentoo.org>; Fri, 11 Aug 2006 00:24:18 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth;
        b=MM881oShwX+XEyh3uaboqav1gh2EtNDnUnqi+P/Kjjg80yz4eROa71c2QyhNnoi3uzy+dHME//4lkgkbfsBmE5wODOMQ18vd3zMqZL69wr5dFqysfnH4Y3tsUBVU0+Esg3hmYfA1aDoI9+rkyEWtnmiBE6ch1nUHHWc9hBch3JY=
Received: by 10.78.134.12 with SMTP id h12mr2059598hud;
        Fri, 11 Aug 2006 00:24:18 -0700 (PDT)
Received: by 10.78.16.17 with HTTP; Fri, 11 Aug 2006 00:24:17 -0700 (PDT)
Message-ID: <7573e9640608110024gf773d0dxa8ef9f1da0a9f73f@mail.gmail.com>
Date: Fri, 11 Aug 2006 00:24:17 -0700
From: "Richard Fish" <bigfish@asmallpond.org>
Sender: richard.j.fish@gmail.com
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: OT: iptables mac filtering
In-Reply-To: <loom.20060811T003230-539@post.gmane.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <loom.20060809T191535-468@post.gmane.org>
	 <20060809214353.5787529e.hilse@web.de>
	 <loom.20060811T003230-539@post.gmane.org>
X-Google-Sender-Auth: 39aa1bb7176402a6
X-Archives-Salt: 0c5fd278-a653-49d5-8e45-666ecb97fbe9
X-Archives-Hash: 27b6efdce73c2512bc8826dd7c8ddfa5

On 8/10/06, James <wireless@tampabay.rr.com> wrote:
> I need a rule on the 3 (nic) interface firewall so that only
> ssh from the LAN is allowed to the firewall or sytems (web
> server, mail dns) in the DMZ. Only one static ip is routable
> to this site. SSH from the outside should be completely blocked.
>
> Any ideas, examples or thoughts?

Just I guess as I haven't tried this:

---
IF_INTERNET=eth0
IF_DMZ=eth1
IF_LAN=eth2

# allow ssh connections from LAN to us
iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT
# allow routing of ssh connections from LAN to DMZ hosts
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 22 -j ACCEPT
# deny all other ssh connections
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A FORWARD -p tcp --dport 22 -j DROP
---

HTH,
-Richard
-- 
gentoo-user@gentoo.org mailing list