On 04/26/11 07:17, Becskei Robert wrote:
I have a problem here, I have a client, which should only be able to access
a few ip's and not the rest. But the rest of my network should be allowed to
access this client unrestricted (that is if they initiate the connection).
...
What I want is :
- Client should be able to only access a few selected ip's (see above)
- Client should not be able to access anything else
- BUT! If someone from the network initiates a connection to the client, be
it ping, vnc, or whatever it should be allowed ( I don't know how to do
this)
This should be possible and relatively easy to do.
If someone can please help me :) . Thank you
You are asking for stateful packet inspection, just like you are
probably using to filter traffic coming back in from the internet.
Try adding a rule like the following somewhere before your DROP rule.
iptables -A FORWARD -s 192.168.220.28 -m state --state
ESTABLISHED,RELATED -j ACCEPT
This will allow reply traffic back out while still allowing you to
control everything else like you are wanting to do.
Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
