Hi, i have got : network A with ip adress room 192.168.x.x (this side also connects to the internet) network B with ip adress room 10.x.x.x (my internal LAN) and a router with is a Linux box to connect the 2 lans via routing. So far so good, the traffic is running between the 2 networks, since i configures the routes on both networks. ------------| |------------ | | LAN A |-----------------------ROUTER---------------| LAN B | | ------------- -------------- My problem is though, i have no restrictions! I know the first few commands like : iptables -P FORWARD DROP, but i want to regulate, that WKS_A from LAN_A can communicate with WKS_1 from LAN_B but not with WKS_2 from LAN_B. Or that WKS_1 on LAN_A is allowed to use SSH ánd nothing else, but WKS_2 on LAN_A can use all tcp/ip services....... Thanx a lot in advance Gerhard Grutsch Support services Tel : 089/55878-151 Mobile : 0172-8391368 E-mail : ggrutsch@statestreet.com
Hi Gerhard, That you want is a fine control over conections. I can recommend you a book not so expensive and not so big (less than 300 pages), but very interesting: Routing Regulated by Linux, from Matthew G. Marsh, Ed. Prentice Hall. I'm not sure if the english title is correct because I've it in spanish. Regards, Pedro On Tuesday 29 April 2003 18:19, Grutsch, Gerhard wrote:
Hi,
i have got : network A with ip adress room 192.168.x.x (this side also connects to the internet) network B with ip adress room 10.x.x.x (my internal LAN) and a router with is a Linux box to connect the 2 lans via routing.
So far so good, the traffic is running between the 2 networks, since i configures the routes on both networks.
------------|
|------------
LAN A |-----------------------ROUTER---------------| LAN B
------------- --------------
My problem is though, i have no restrictions! I know the first few commands like : iptables -P FORWARD DROP, but i want to regulate, that WKS_A from LAN_A can communicate with WKS_1 from LAN_B but not with WKS_2 from LAN_B. Or that WKS_1 on LAN_A is allowed to use SSH ánd nothing else, but WKS_2 on LAN_A can use all tcp/ip services.......
Thanx a lot in advance
Gerhard Grutsch Support services Tel : 089/55878-151 Mobile : 0172-8391368 E-mail : ggrutsch@statestreet.com
hi gerhard, what you want is the more specific part of iptables, like source=x.x.x.x,dst=y.y.y.y ACCEPT src=x.x.x.a dst=y.y.y.b DROP i'm using webmin to set up my iptables. lets you add one rule at a time , you see all parameters that are possible. www.webmin.org (i'm not really sure but i think thats where you get it) got me a working firewall with minimal headache. ===== Mit freundlichen Gruessen Patrick Thempel mail:patrick_thempel@yahoo.com __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Dear Gerhard, surf to: http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html There is discribed how the roules will be build. You wont a very districted router. DROP all packets, exept for the specified. On your example it would be something like:
but i want to regulate, that WKS_A from LAN_A can communicate with WKS_1 from LAN_B
iptables -A DROP # Drop all iptables -A FORWARD -s [IP-Adr. WKS_A] -d [IP-Adr. WKS_1] # BUT Forward this to this. I think thats all.. Grz Uwe Grutsch, Gerhard wrote:
Hi,
i have got : network A with ip adress room 192.168.x.x (this side also connects to the internet) network B with ip adress room 10.x.x.x (my internal LAN) and a router with is a Linux box to connect the 2 lans via routing.
So far so good, the traffic is running between the 2 networks, since i configures the routes on both networks.
------------| |------------ | | LAN A |-----------------------ROUTER---------------| LAN B | | ------------- --------------
My problem is though, i have no restrictions! I know the first few commands like : iptables -P FORWARD DROP, but i want to regulate, that WKS_A from LAN_A can communicate with WKS_1 from LAN_B but not with WKS_2 from LAN_B. Or that WKS_1 on LAN_A is allowed to use SSH ánd nothing else, but WKS_2 on LAN_A can use all tcp/ip services.......
Thanx a lot in advance
Gerhard Grutsch Support services Tel : 089/55878-151 Mobile : 0172-8391368 E-mail : ggrutsch@statestreet.com
participants (4)
-
Grutsch, Gerhard -
patrick thempel -
Pedro Cáliz -
Uwe Eisner