Hi, is it possible to limit an ip only see ldap port, and block others?
Regards
Hi, is it possible to limit an ip only see ldap port, and block others?
Regards
Moin,
not without editing the templates. With the security/packetfilter/...
entries you cannot specify a source IP, and /etc/security/packetfilter.d/50_local.sh
is too late, i.e., 10_univention-firewall_start.sh
contains the UCR settings.
(Ok, in theory you could set all security/packetfilter/...
entries to DROP
and put almost all config into 50_local.sh
, but in that case, editing the templates would be much cleaner)
Hey,
No, it isn’t too late. You can easily insert rules at the top with iptables -I INPUT …
instead of appending them at the end.
Kind regards,
mosu
I’ve set in /etc/security/packetfilter.d/50_local.sh:
iptables -I INPUT -s $IP -j DROP
iptables -A INPUT -p tcp --dport $PORT -s $IP -j ACCEPT
no connections from $IP
Yeah sure, with -I
you insert the rule to block everything from $IP
at the very top. That second rule will never match.
Change the second iptables -A…
to iptables -I…
. That way the exception to allow that port will actually be the first rule.
m.
O my god!!! Sorry
Works fine!!!