Your first problem is that you want -A FORWARD instead of -A OUTPUT. "OUTPUT" refers to connections originating from your linux box. FORWARD refers to traffic going through the router, which is what you want. Second, -d 192.168.1.8 does not mean what you think it means. -d 192.168.1.8 would match packets destined to your 192.168.1.8. This does not mean traffic ROUTED to 192.168.1.8, destined for places behind 192.168.1.8, it means traffic whose final destination is 192.168.1.8. Probably not what you want. So, if I understood you correctly, you have a network like this: Your LAN, connected to your linux router on eth1. On eth0, you have the internet, and on the same network, another router 192.168.1.8, behind which lie your other networks. You want to allow access to the internet but not to the networks behind 192.168.1.8, except for some special computers. If this is correct, based on that information I would do it like this: iptables -P FORWARD DROP iptables -A FORWARD -i eth1 -o eth0 -d ! 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i etho -i eth1 -s ! 192.168.0.0/16 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.1.3 -j ACCEPT iptables -A FORWARD -d 192.168.1.3 -s 192.168.0.0/16 -j ACCEPT repeat the last two lines for all your hosts that you want to allow to your networks. Here, I'm assuming all your networks are in the 192.168.x.x block. What these rules do in plain english is: 1.default policy is to drop everything trying to go through our linux box 2.allow anything from eth1 going out of eth0 so long as its not headed to 192.168.x.x 3.allow anything from eth0 to eth1 so long as its not from 192.168.x.x, and the connection has been initiated from within the network (if your network is already not accessible directly from the internet, the latter part, ie the whole -m state part, is probably unnecessary) 4. allow 192.168.1.3 to go anywhere (if this is what you want. you can also specify -d 192.168.0.0/16 for example, depending on your specific situation) 5. allow anything from 192.168.0.0/16 to 192.168.1.3 This is just one way to do it, and depending on the specific circumstances you might want to change things. But hopefully these examples will get you on the right track. urgrue > Hi, > this is the situation: > 192.168.1.7 linux firewall with eth0 on internet and eth1 on intranet > 192.168.1.8 router for internal networks (192.168.4.0,192.168.2.0,ecc.) > The firewall is the main gateway of the whole network, so packets are sent to > it and redirected to the internet or the other router (192.168.1.8). > I'd like to block connections to everything that is going to the router > 192.168.1.8 excepts for certain machines, thus I've defined the following > rules: > > $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.30 -j ACCEPT > $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.37 -j ACCEPT > $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.64 -j ACCEPT > $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.3 -j ACCEPT > $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 0/0 -j DROP > > > but it is not working, and I can connect from other machine trhu 192.168.1.8. > In the OUTPUT chain packets should be already be natted, thus my doubt is > that the destination address is the final one (e.g., 192.168.4.100) and not > the router one. Is there a way to lock the traffic to the router using > iptables? > > Thanks, > Luca > -- > Luca Ferrari, > fluca1978@xxxxxxxxxxx > - > : send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
