Patrick Coleman wrote:
> How can I provide some services, but no internet access to untrusted hosts, yet still allow trusted
> clients on wireless to access the internet (clearly I cant simply firewall off the access point)?
>
> Thanks in advance,
> Patrick
Why not? That's exactly what I do at work.
The work setup is a linux box with 2 NICs; eth0 internal NW and eth1
external. DNAT. The firewall script reads /etc/firewall/ACL which
contains the IPs of the machines allowed internet access. More
specifically, ACL contains:
192.168.1.4;tcp;1024:65535;-m mport
--dports;20:23,25,80,110,113,119,123,143,443,873
192.168.1.4;udp;123;--dport;123
192.168.1.4;tcp;1024:65535;--dport;1024:65535
192.168.1.4;udp;1024:65535;--dport;1024:65535
Note that I chose semicolon as a delimiter because it was the first
thing I thought of that would work. I have as many of those 4-line
entries as there are allowed computers. Most have a much more limited
first line --dport list than I show here because they don't need all
those services.
Then the applicable part of the iptables script:
# Access control:
if [ -f /etc/firewall/ACL ]; then
while read FWD ; do
IP=`echo "$FWD" | cut -d ';' -f 1`
PROTO=`echo "$FWD" | cut -d ';' -f 2`
SPORT=`echo "$FWD" | cut -d ';' -f 3`
PLURAL=`echo "$FWD" | cut -d ';' -f 4` # either "--dport" or "-m
mport --dports"
DPORT=`echo "$FWD" | cut -d ';' -f 5 | cut -d '#' -f 1`
iptables -A FORWARD -i $IFI -o $IFE -s $IP -p $PROTO --sport $SPORT
$PLURAL $DPORT -j ACCEPT
done </etc/firewall/ACL
fi
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The DPORT line allows "inline" comments at the end of any line. $IFE
and $IFI should be self explanatory. Everything on the FORWARD chain
that is not specifically allowed is denied (DROPped).
HTH
gypsy
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
