Mailinglist Archive: opensuse-security (261 mails)
| < Previous | Next > |
Re: [suse-security] allow EXCEPT (SuSEfirewall2)
- From: Paranoiac_User <Paranoiac_User@xxxxxxxxxx>
- Date: Thu, 29 Apr 2004 16:49:57 +0200
- Message-id: <opr673hjkafqutfm@xxxxxxxxxxxxxxx>
I want to set up a rule in SuSEfirewall2 that allows all users from my LAN to browse or FTP from 192.168.0.0/24 to 0/0
This is easy and done.
FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,80 \
192.168.0.0/24,0/0,tcp,21"
This does activate NAT for 192.168.0.0 when dport is (80|21) and proto is tcp
My question is, I only want two internal addresses to be able to FTP and Browse to a specific FTP/WWW server.put some rules into the firewall.local file
I cannot find any reference in SuSEfirewall2 to include an exclusion in the above line.
I was thinking something like:
FW_MASQ_NETS="192.168.0.0/24,0/0!200.200.200.211,tcp,80 \
192.168.0.222,200.200.200.211,tcp,80"
Any idea how to do this, or should I create all my forwarding rules directly using iptables?
iptables -A INPUT -j ACCEPT -s $ok1 -p tcp -d $server.to.allow 80 -i $int
iptables -A INPUT -j ACCEPT -s $ok2 -p tcp -d $server.to.allow 80 -i $int
iptables -A INPUT -j DENY -s 192.168.0.0/24 -p tcp -d $server.to.allow 80 -i $int
where $ok1,$ok2 are the clients allowed to access, $int is the internal nic and $server.to.allow
is the server only $ok1,$ok2 can access to. Since iptables rules are checked from top to down, $ok1 and $ok2 are allowed to input, before the 3rd rule it denies for all.
the bob
--
http://www.hs-pongratz.de
| < Previous | Next > |