On Sunday 23 March 2003 02:34 pm, Andrea Tasso wrote: > hi all, > this is a part of my configuration, now from 192.168.2.2 you can do > surf the internet (I have default ipmask on 192.168.2.1, iptable > based). the router I do not want to use it to do this stuffs, but the > 192.168.2.1 server is what I want to use, with iptables, hopefully. > child PC | | | | adsl > | wlan0 | | wlan0 server eth0 | | router It's generally believed to be a bad idea to post your complete firewall rules and your public IP to the list. All posts to this list eventually find themselves on a public web page indexed by search engines. > I want my child on 192.168.2.2 to be able to connect to a limited list > of web sites (or IPs), say > 209.10.154.66 > 192.25.206.10 > 63.70.47.55 > On eth1 of server there is another net 192.168.1.0 (the server is > 192.168.1.1 and the other is 192.168.1.0) I want to keep to be able to > do everything > any example for me ? This is not the best way to handle this, it really shouldn't be a firewall solution. Filtering in a proxy would be more appropriate. If the child in question has their own computer, and it runs windows, you can enable filtering in Internet Exploiter and create an 'approved' list there, which will require a password to bypass or add to. But as far as restricting via netfilter this should do what you ask: iptables -N KidFilter iptables -A FORWARD -s 192.168.2.2 -p tcp --dport 80 -j KidFilter iptables -A FORWARD -s 192.168.2.2 -p tcp --dport 80 -j REJECT \ --reject-with icmp-host-prohibited iptables -A KidFilter -d 209.10.154.66 -j ACCEPT etc. You can also use the URL in a rule, like: iptables -A KidFilter -d www.mamamedia.com -j ACCEPT If you want to get fancier, you can keep a list of approved IPs (or URLs) somewhere, like /usr/etc/KidFilterIPs, then add those from within a firewall script with this loop: for ip in $(cat /usr/etc/KidFilterIPs | grep -v #); do /sbin/iptables -A KidFilter -d $ip -j ACCEPT; done the "grep -v #" will match any line in the file that does NOT have a # in it. This means you have to have each IP or URL on a separate line, and you can insert comment lines in the list simply by having a # somewhere in the line, traditionally the first character. If you go with this you'll need to ensure that /usr/etc/KidFilterIPs is readable by root at least. > and this iptables-save Do you use iptables-load and iptables-save each time, or just to generate this listing? If you use it all the time, then the above approach would still work, but obviously you wouldn't have a script you could place the mentioned loop in... > -A FORWARD -s 192.168.2.0/255.255.255.0 -i wlan0 -o eth0 -j ACCEPT Just make sure that the rules for this specific computer are reached before this rule here. You want to filter 192.168.2.2 first, ACCEPTing what is acceptable, REJECTing what you don't want to permit, THEN the rest of 192.168.2.0/24 will still be handled by this rule. If connections from 192.168.2.2 hit this rule first, they will always get through. > andrea@xxxxxxxxxx j
