help to build a small firewall for a child

Andrea Tasso <andrea@xxxxxxxxxx> · Sun, 23 Mar 2003 20:34:41 +0100 (CET)

hi all,
this is a part of my configuration, now from 192.168.2.2 you can do
surf the internet (I have default ipmask on 192.168.2.1, iptable based).
the router I do not want to use it to do this stuffs, but the 192.168.2.1
server is what I want to use, with iptables, hopefully.

child PC |       |                       |    | adsl                   |
 wlan0   |       |  wlan0 server eth0    |    | router                 |
         |       |                       |    |                        |
192.168.2.2 ----- 192.168.2.1 - 10.0.0.1 ---- 10.0.0.138 -151.38.133.194 - internet

I want my child on 192.168.2.2 to be able to connect to a limited list of
web sites (or IPs), say
209.10.154.66
192.25.206.10
63.70.47.55

On eth1 of server there is another net 192.168.1.0 (the server is
192.168.1.1 and the other is 192.168.1.0) I want to keep to be able to do
everything

any example for me ?

thanks a lot, and bye

andrea

this is ifconfig out
eth0      Link encap:Ethernet  HWaddr 52:54:05:E2:AD:5A
          inet addr:10.0.0.1  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
eth1      Link encap:Ethernet  HWaddr 00:50:FC:3F:C8:6F
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
wlan0     Link encap:Ethernet  HWaddr 00:09:5B:12:10:AA
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

and this iptables-save

# Generated by iptables-save v1.2.6a on Sun Mar 23 20:29:09 2003
*mangle
:PREROUTING ACCEPT [349421:238898421]
:INPUT ACCEPT [349361:238894776]
:FORWARD ACCEPT [6:360]
:OUTPUT ACCEPT [272574:19680094]
:POSTROUTING ACCEPT [272580:19680454]
-A PREROUTING -i eth1 -j IMQ --todev 0
-A PREROUTING -i eth1 -j MARK --set-mark 0xa
COMMIT
# Completed on Sun Mar 23 20:29:09 2003
# Generated by iptables-save v1.2.6a on Sun Mar 23 20:29:09 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -d 255.255.255.255 -i eth1 -j ACCEPT
-A INPUT -d 255.255.255.255 -i wlan0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i wlan0 -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p ! tcp -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -i wlan0 -p ! tcp -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j LOG
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth0 -j LOG
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT
-A INPUT -d 10.0.0.1 -i eth0 -j ACCEPT
-A INPUT -d 10.255.255.255 -i eth0 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j
ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -j
ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth1 -o eth0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -d 192.168.2.0/255.255.255.0 -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -o eth0 -j LOG
-A FORWARD -d 192.168.1.0/255.255.255.0 -o eth0 -j DROP
-A FORWARD -d 192.168.2.0/255.255.255.0 -o eth0 -j LOG
-A FORWARD -d 192.168.2.0/255.255.255.0 -o eth0 -j DROP
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o eth1 -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o wlan0 -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o wlan0 -j ACCEPT
-A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth1 -p ! tcp -j ACCEPT
-A OUTPUT -d 224.0.0.0/240.0.0.0 -o wlan0 -p ! tcp -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o eth0 -j LOG
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o eth0 -j DROP
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth0 -j LOG
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth0 -j DROP
-A OUTPUT -d 255.255.255.255 -o eth0 -j ACCEPT
-A OUTPUT -s 10.0.0.1 -o eth0 -j ACCEPT
-A OUTPUT -s 10.255.255.255 -o eth0 -j ACCEPT
-A OUTPUT -j LOG
-A OUTPUT -j DROP
COMMIT
# Completed on Sun Mar 23 20:29:09 2003
# Generated by iptables-save v1.2.6a on Sun Mar 23 20:29:09 2003
*nat
:PREROUTING ACCEPT [5260:467218]
:POSTROUTING ACCEPT [261:17083]
:OUTPUT ACCEPT [14928:978050]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.1
COMMIT
# Completed on Sun Mar 23 20:29:09 2003

andrea@xxxxxxxxxx