On Friday 08 March 2002 23:04, Mario Ohnewald wrote:
Hello! I have a little network, one firewall/router. I want to allow some ips to surf the net, and some are not allowed to leave the trusted net.
Why doesnt it work? Can u give me an exampel how it does work? THat would be really really nice!!
I suppose you made sure it works without firewall ? The INPUT and OUTPUT chains are not used when routing packets. You could try this: (very open, as if you had no firewall !!) ---------------------------- # enable forwarding echo "1" > /proc/sys/net/ipv4/ip_forward # clear everything iptables -t filter -F iptables -t filter -X iptables -t filter -Z iptables -t filter -P INPUT ACCEPT iptables -t filter -P FORWARD ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT # masquerade everything iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ---------------------------- The following Rules should just do what you wanted (need to be expanded if you want more): ---------------------------- echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t filter -F iptables -t filter -X iptables -t filter -Z iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -t filter -A FORWARD -m state -s <your client or client network> --state NEW,ESTABLISHED,RELATED -j ACCEPT ---------------------------- I wrote the rules from memory and have not tested these special rules, but I think it should work. I would suggest you use the "-m state" matching module where possible. And I would also restrict the client's access to certain proto/port combinations. "man iptables" is very good IMHO. There is a nice tool that can aid you in building your firewall: fwbuilder (www.fwbuilder.org). But be sure to use the actual cvs version, because the 1.0 version has some bugs when building the firewall code. Thats why I think it is essential to know the basics to be able to verify the code some tools generate. Andreas ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************