Hi, Many thanks for your help everyone, its all up and running now. You were were right it was the order I had it in I made 2 extra chains Restricted: and Allow: That seems to do it Eg: *filter :INPUT DROP [2789:198491] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1953:582221] :allow - [0:0] :restricted - [0:0] :firewall - [0:0] # These PC's are unrestricted -A FORWARD -s 192.168.0.185 -j allow -A FORWARD -s 192.168.0.247 -j allow # Allow restricted PC's to access these sites -A FORWARD -s 192.168.0/24 -d 1.2.3.4 -p tcp -m tcp --sport 80 -j allow -A FORWARD -s 192.168.0/24 -d 1.2.3.4 -p tcp -m tcp --dport 80 -j allow # Restricted access to IP addresses -A FORWARD -s 192.168.0/24 -i eth0 -j restricted -A allow -j ACCEPT -A restricted -j DROP -A firewall -j DROP Again many thanks for your help CT -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Rob Sterenborg Sent: Tuesday, July 08, 2003 4:58 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Restricted Access > All my clients have fixed IP's > And are on an internal net of 192.168.0/24 > -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE > # Ban this PC > -A FORWARD -s 192.168.0.245 -i eth0 -j firewall > > This is the bit that I cant get to work > I can stop the client 192.168.0.245 to get the net at all > with the above rule But then I want that client to be able to > go to 1.2.3.4 > > -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --sport > 80 -j ACCEPT -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m > tcp --dport 80 -j ACCEPT Maybe you don't use the correct order for your rules ? You have to tell iptables about the restricted client first, after that about the unrestricted clients. Rules are evaluated in the order you entered them. # Drop everything that doesn't have a rule for it # If you didn't tell the complete story, it may break other things ;) iptables -P FORWARD DROP # Accept related and established iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Tell iptables what to accept from the restricted client # From what I see you want to let the restricted client connect to # port 80/tcp on 1.2.3.4. # Are you sure it connects *from* port 80/tcp ?? If not, don't use --sport. # Drop everything else from the restricted client iptables -A FORWARD -i eth0 -s 192.168.0.245 -d 1.2.3.4 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth0 -s 192.168.0.245 -j DROP # Accept everything from the other clients (you already dropped # the restricted client here..) iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT # The MASQ rule iptables -t nat -A POSTROUTING -s 192.168.0.0/24 [-o <if_out>] -j MASQUERADE Rob.
