I have NAT.(> If I allow Student1 ssh on dorm1 gateway then what do I tell the> Campus gateway to allow ? (I can't allow full access from Dorm1's> gateway public ip.) On 5/18/05, Пётр Волков Александрович <torre_cremata@xxxxxxx> wrote:> Hello, Bogdan.>> В сообщении от 18 Май 2005 04:42 vaida bogdan написал(a):> > My campus connections look like this:> >> > Dorm1 gateway ----\> > Dorm2 gateway ----|=> Campus gateway |-> OUTSIDE> > Dorm3 gateway ----/ \-> University Servers> >> > Dorms' ips are private on different internal networks.> >> > I want to allow ssh (and other ports) access on request to users from> > one of the Dorms to OUTSIDE.> >> > If I allow Student1 ssh on dorm1 gateway then what do I tell the> > Campus gateway to allow ? (I can't allow full access from Dorm1's> > gateway public ip.>> Do you have NAT on Dorm's gateways? If you have, then it's hard task to> differentiate users on Campus gateway. So I suppose that you do not have NAT> there and they are an ordinary routers. Then I think rules should be like> this:>> iptables -P FORWARD DROP> iptables -A FORWARD -s <users_IP> -p tcp --dport 22 -j ACCEPT> iptables -A FORWARD -d <users_IP> -p tcp --sport 22 -m state --state> ESTABLISHED,RELATED -j ACCEPT>> > I would also like to consider security matters: (allow by ip&mac, or> > through proxy).>> you can use mac address only for local networks. But proxy is possible.> Look for squid's access control lists.>> Have I missed you question?>> --> ____________> Peter.>
