Christoph Haas wrote:
Hello!
I'm looking for a way to configure my SuSE 7.0-firewall-script (v2.6), that I can control which IP-address is allowed to get through to the internet.
If I configure 'FW_MASQUERADE=yes' and 'FW_MASQ_NETS="172.16.0.0/255.255.0.0" ', every machine of the 172.16.x.x-net is able to connect to the internet.
But I need to allow certain IP-addresses internet and other IP-addresses of the same (sub)net mustn't be able to do so. If possible it should be configurable in an external file.
Any hints?
Hi ! Not sure if this is what You wanted, but here You have scripts I use to control access to modem (user pay for their on-line time): mini:~# cat /etc/ppp/client_online #! /bin/sh logdata="`date \"+%Y/%m/%d %H:%M:%S %a\"` JOIN $1" logfile=`cat /etc/billing.conf` /usr/bin/logger $logdata echo $logdata >>$logfile (sleep 10; /sbin/ipchains -I forward -s $1 -j MASQ) & echo `date "+%Y/%m/%d %H:%M:%S %a"` "NOP "$1" is "`nslookup $1|grep Name |awk '{ print $2 }'` >>$logfile & mini:~# cat /etc/ppp/client_offline #! /bin/sh logdata="`date \"+%Y/%m/%d %H:%M:%S %a\"` LEAVE $1" logfile=`cat /etc/billing.conf` /usr/bin/logger $logdata echo $logdata >>$logfile (sleep 10; /sbin/ipchains -D forward -s $1 -j MASQ ) & echo `date "+%Y/%m/%d %H:%M:%S %a"` "NOP "$1" is "`nslookup $1|grep Name |awk '{ print $2 }'` >>$logfile & Such script gets one paremter - internal IP address In /etc/billing.conf You keep the name of log file. It also translates IP to FQDN to keep the log more humanly-readable It also uses "logger" program to leave a stamp in syslog. GREG__ PS: Ah - and You have to turn off normal 192.168.0.0/255.255.0.0 masquerading Probably You may want to add "-i ppp0" or similar to ipchains call. Remember that You have to call "client_offline" srcipt same number of times You called "client_online" to get him off the Internet connection. PSS: It doesn't have much to do with security. Doesn't it?