Thanks John
Yes I want this machine and every other machine on the LAN to be denied
access to the Internet except to the sites or IPs listed
in the allowed-hosts file
So could you help what addionional rules would I need ?
John A. Sullivan III wrote:
Hmm . . .looks a little strange. Do you want such access for this
specific device or for other devices on the internal network that use
this device as a gateway? The INPUT and OUTPUT chains will only handle
traffic to and from this device.
I would suggest you use connection tracking and you may find it easier
to use DROP policies. Thus:
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Then you can allow the outbound access including the protcol:
while read s1 s2
do
$IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j ACCEPT
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
done < /allowed-hosts
also what is the -p 6 ???
If you want to allow other devices to access these sites through this
device, you will need rules in the FORWARD chain and probably an SNAT
rule in the nat table POSTROUTING chain. Good luck - John
Thanks
Barry
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005
