RE: Restricted Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Many thanks for your help everyone, its all up and running now.
You were were right it was the order I had it in
I made 2 extra chains Restricted: and Allow:
That seems to do it

Eg:

*filter
:INPUT DROP [2789:198491]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1953:582221]
:allow - [0:0]
:restricted - [0:0]
:firewall - [0:0]

# These PC's are unrestricted
-A FORWARD -s 192.168.0.185 -j allow
-A FORWARD -s 192.168.0.247 -j allow

# Allow restricted  PC's to access these sites
-A FORWARD -s 192.168.0/24 -d 1.2.3.4 -p tcp -m tcp --sport 80 -j allow
-A FORWARD -s 192.168.0/24 -d 1.2.3.4 -p tcp -m tcp --dport 80 -j allow

# Restricted access to IP addresses
-A FORWARD -s 192.168.0/24 -i eth0 -j restricted

-A allow -j ACCEPT
-A restricted -j DROP
-A firewall -j DROP

Again many thanks for your help

CT


-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Rob Sterenborg
Sent: Tuesday, July 08, 2003 4:58 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: RE: Restricted Access


> All my clients have fixed IP's
> And are on an internal net of 192.168.0/24

> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

> # Ban this PC
> -A FORWARD -s 192.168.0.245 -i eth0 -j firewall
> 
> This is the bit that I cant get to work
> I can stop the client 192.168.0.245 to get the net at all
> with the above rule But then I want that client to be able to 
> go to 1.2.3.4
> 
> -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --sport
> 80 -j ACCEPT -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m 
> tcp --dport 80 -j ACCEPT


Maybe you don't use the correct order for your rules ?
You have to tell iptables about the restricted client first, after that
about the unrestricted clients.
Rules are evaluated in the order you entered them.


# Drop everything that doesn't have a rule for it
#   If you didn't tell the complete story, it may break other things ;)
iptables -P FORWARD DROP

# Accept related and established
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Tell iptables what to accept from the restricted client
# From what I see you want to let the restricted client connect to
#   port 80/tcp on 1.2.3.4.
# Are you sure it connects *from* port 80/tcp ?? If not, don't use
--sport.
# Drop everything else from the restricted client
iptables -A FORWARD -i eth0 -s 192.168.0.245 -d 1.2.3.4 -p tcp --dport
80 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.0.245 -j DROP

# Accept everything from the other clients (you already dropped
#   the restricted client here..)
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT

# The MASQ rule
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 [-o <if_out>] -j
MASQUERADE


Rob.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux