Hi, is it possible to limit an ip only see ldap port, and block others?
Regards
Moin,
not without editing the templates. With the security/packetfilter/... entries you cannot specify a source IP, and /etc/security/packetfilter.d/50_local.sh is too late, i.e., 10_univention-firewall_start.sh contains the UCR settings.
(Ok, in theory you could set all security/packetfilter/... entries to DROP and put almost all config into 50_local.sh, but in that case, editing the templates would be much cleaner)
Hey,
No, it isn’t too late. You can easily insert rules at the top with iptables -I INPUT … instead of appending them at the end.
Kind regards,
mosu
I’ve set in /etc/security/packetfilter.d/50_local.sh:
iptables -I INPUT -s $IP -j DROP
iptables -A INPUT -p tcp --dport $PORT -s $IP -j ACCEPT
no connections from $IP
Yeah sure, with -I you insert the rule to block everything from $IP at the very top. That second rule will never match.
Change the second iptables -A… to iptables -I…. That way the exception to allow that port will actually be the first rule.
m.
O my god!!! Sorry
Works fine!!!