I want to set up a rule in SuSEfirewall2 that allows all users from my LAN to browse or FTP from 192.168.0.0/24 to 0/0
This is easy and done.
FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,80 \ 192.168.0.0/24,0/0,tcp,21"
This does activate NAT for 192.168.0.0 when dport is (80|21) and proto is tcp
My question is, I only want two internal addresses to be able to FTP and Browse to a specific FTP/WWW server. I cannot find any reference in SuSEfirewall2 to include an exclusion in the above line.
I was thinking something like: FW_MASQ_NETS="192.168.0.0/24,0/0!200.200.200.211,tcp,80 \ 192.168.0.222,200.200.200.211,tcp,80"
Any idea how to do this, or should I create all my forwarding rules directly using iptables?
put some rules into the firewall.local file iptables -A INPUT -j ACCEPT -s $ok1 -p tcp -d $server.to.allow 80 -i $int iptables -A INPUT -j ACCEPT -s $ok2 -p tcp -d $server.to.allow 80 -i $int iptables -A INPUT -j DENY -s 192.168.0.0/24 -p tcp -d $server.to.allow 80 -i $int where $ok1,$ok2 are the clients allowed to access, $int is the internal nic and $server.to.allow is the server only $ok1,$ok2 can access to. Since iptables rules are checked from top to down, $ok1 and $ok2 are allowed to input, before the 3rd rule it denies for all. the bob -- http://www.hs-pongratz.de