nixCraft

Iptables is full of shit. If one rule goes wrong, my ssh server and remote connectivity goes down. I am just wondering if there is a way (easy way) to allow or deny access by IP Address to services such as Apache or SSH Server, mail server etc…

Currently I want to block access to certain machines…

You can use any one of the following way to Allow or Deny access by IP address
a) Using IPTABLES based firewall
b) Using TCPD - /etc/hosts.allow and /etc/hosts.deny files

Option b (hosts.allow/hosts.deny) is the easiest to use and supported by all major servers.

Allow incoming packets to tcpd are first matched again hosts.allow and then if there are no matches, they are checked against the rules in hosts.deny file.
Syntax is as follows:
server-name: hostname or ip-address

Where servername can be smbd (samba), sshd (OpenSSH server), sendmail etc.

For example allow sshd access to 192.168.1.1 and 192.168.1.100 IP address only. You need to put following in /etc/hosts.allow file:
More example, allow access to all cyberciti.biz hosts (i.e. it will match www.cyberciti.biz, mail.cyberciti.biz etc to ssh):
Allow subnet 192.168.1.0/255.255.255.0 to access sshd:
Block telnet to ALL:
Block telnet to ALL EXCEPT ip 192.168.1.100
Read the man page of hosts.allow and hosts.deny for more info.

For option b, (iptable see following url http://www.cyberciti.biz/faqs/2006/0...nux-server.php

__________________
Vivek | My personal blog
Linux Evangelist
Play hard stay cool