Restricted Access

Restricted Access

[Craig Thew]

Hi everyone,

I have a very basic iptables setup to allow my windows clients to access
the net
through iptables, What I want to do is allow some clients to have full
access the any websites
and others to be resticted to certain sites only, Can iptables do this?.
Does someone have an example
or point me in the right direction     

Many Thanks

CT

RE: Restricted Access

[Rob Sterenborg]

> I have a very basic iptables setup to allow my windows 
> clients to access the net through iptables, What I want to do 
> is allow some clients to have full access the any websites 
> and others to be resticted to certain sites only, Can 
> iptables do this?. Does someone have an example
> or point me in the right direction     

What is your setup ?
Do your clients have fixed IP addresses ?

Example :

FULL="192.168.0/24"
RESTRICTED="192.168.1/24"
ACCESS_SITES="a.b.c.d e.f.g.h ..."

# Full access clients
iptables -A FORWARD -i <if_in> -o <if_out> -s $FULL -j ACCEPT

#Restricted access clients
for IP in $ACCESS_SITES ; do
  iptables -A FORWARD -i <if_in> -o <if_out> -s $RESTRICTED -d $IP -j
ACCEPT
done


Gr,
Rob

RE: Restricted Access

[Craig Thew]

Hi,

thanks for your responses
All my clients have fixed IP's
And are on an internal net of 192.168.0/24

This is my /etc/sysconfig/iptables

*nat
:PREROUTING ACCEPT [3803:230566]
:POSTROUTING ACCEPT [11:858]
:OUTPUT ACCEPT [13:1026]

-A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

COMMIT

*mangle
:PREROUTING ACCEPT [15299:1685366]
:OUTPUT ACCEPT [1947:581477]

COMMIT

*filter
:INPUT DROP [2789:198491]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1953:582221]
:firewall - [0:0]

# Ban this PC
-A FORWARD -s 192.168.0.245 -i eth0 -j firewall

This is the bit that I cant get to work
I can stop the client 192.168.0.245 to get the net at all with the above
rule
But then I want that client to be able to go to 1.2.3.4


-A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --sport 80 -j
ACCEPT
-A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --dport 80 -j
ACCEPT

Thanks for your time

CT



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Rob Sterenborg
Sent: Monday, July 07, 2003 6:43 PM
To: netfilter@lists.netfilter.org
Subject: RE: Restricted Access


> I have a very basic iptables setup to allow my windows
> clients to access the net through iptables, What I want to do 
> is allow some clients to have full access the any websites 
> and others to be resticted to certain sites only, Can 
> iptables do this?. Does someone have an example
> or point me in the right direction     

What is your setup ?
Do your clients have fixed IP addresses ?

Example :

FULL="192.168.0/24"
RESTRICTED="192.168.1/24"
ACCESS_SITES="a.b.c.d e.f.g.h ..."

# Full access clients
iptables -A FORWARD -i <if_in> -o <if_out> -s $FULL -j ACCEPT

#Restricted access clients
for IP in $ACCESS_SITES ; do
  iptables -A FORWARD -i <if_in> -o <if_out> -s $RESTRICTED -d $IP -j
ACCEPT done


Gr,
Rob

RE: Restricted Access

[Craig Thew]

Hi,

thanks for your responses
All my clients have fixed IP's
And are on an internal net of 192.168.0/24

This is my /etc/sysconfig/iptables

*nat
:PREROUTING ACCEPT [3803:230566]
:POSTROUTING ACCEPT [11:858]
:OUTPUT ACCEPT [13:1026]

-A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

COMMIT

*mangle
:PREROUTING ACCEPT [15299:1685366]
:OUTPUT ACCEPT [1947:581477]

COMMIT

*filter
:INPUT DROP [2789:198491]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1953:582221]
:firewall - [0:0]

# Ban this PC
-A FORWARD -s 192.168.0.245 -i eth0 -j firewall

This is the bit that I cant get to work
I can stop the client 192.168.0.245 to get the net at all with the above
rule 
But then I want that client to be able to go to 1.2.3.4


-A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --sport 80 -j
ACCEPT 
-A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --dport 80 -j
ACCEPT

Thanks for your time

CT



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Rob Sterenborg
Sent: Monday, July 07, 2003 6:43 PM
To: netfilter@lists.netfilter.org
Subject: RE: Restricted Access


> I have a very basic iptables setup to allow my windows clients to 
> access the net through iptables, What I want to do is allow some 
> clients to have full access the any websites and others to be 
> resticted to certain sites only, Can iptables do this?. Does someone 
> have an example
> or point me in the right direction     

What is your setup ?
Do your clients have fixed IP addresses ?

Example :

FULL="192.168.0/24"
RESTRICTED="192.168.1/24"
ACCESS_SITES="a.b.c.d e.f.g.h ..."

# Full access clients
iptables -A FORWARD -i <if_in> -o <if_out> -s $FULL -j ACCEPT

#Restricted access clients
for IP in $ACCESS_SITES ; do
  iptables -A FORWARD -i <if_in> -o <if_out> -s $RESTRICTED -d $IP -j
ACCEPT done


Gr,
Rob

Re: Restricted Access

[Matt Hellman]

Craig Thew wrote:

>Hi everyone,
>
>I have a very basic iptables setup to allow my windows clients to access
>the net
>through iptables, What I want to do is allow some clients to have full
>access the any websites
>and others to be resticted to certain sites only, Can iptables do this?.
>Does someone have an example
>or point me in the right direction     
>
>Many Thanks
>
>CT
>
Unless you have a very small number of ip addresses and ports you want 
to allow those "restricted clients" to access...I would advise using an 
application layer proxy like Squid. It would have the added benefit of 
allowing you to configure authentication as well, which is almost always 
a more effective and thorough way to restrict [and monitor] client 
access. Goodluck,

Matt

RE: Restricted Access

[Rob Sterenborg]

> All my clients have fixed IP's
> And are on an internal net of 192.168.0/24

> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

> # Ban this PC
> -A FORWARD -s 192.168.0.245 -i eth0 -j firewall
> 
> This is the bit that I cant get to work
> I can stop the client 192.168.0.245 to get the net at all 
> with the above rule But then I want that client to be able to 
> go to 1.2.3.4
> 
> -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --sport 
> 80 -j ACCEPT -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m 
> tcp --dport 80 -j ACCEPT


Maybe you don't use the correct order for your rules ?
You have to tell iptables about the restricted client first, after that
about the unrestricted clients.
Rules are evaluated in the order you entered them.


# Drop everything that doesn't have a rule for it
#   If you didn't tell the complete story, it may break other things ;)
iptables -P FORWARD DROP

# Accept related and established
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Tell iptables what to accept from the restricted client
# From what I see you want to let the restricted client connect to
#   port 80/tcp on 1.2.3.4.
# Are you sure it connects *from* port 80/tcp ?? If not, don't use
--sport.
# Drop everything else from the restricted client
iptables -A FORWARD -i eth0 -s 192.168.0.245 -d 1.2.3.4 -p tcp --dport
80 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.0.245 -j DROP

# Accept everything from the other clients (you already dropped
#   the restricted client here..)
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT

# The MASQ rule
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 [-o <if_out>] -j
MASQUERADE


Rob.

RE: Restricted Access

[Craig Thew]

Hi,

Many thanks for your help everyone, its all up and running now.
You were were right it was the order I had it in
I made 2 extra chains Restricted: and Allow:
That seems to do it

Eg:

*filter
:INPUT DROP [2789:198491]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1953:582221]
:allow - [0:0]
:restricted - [0:0]
:firewall - [0:0]

# These PC's are unrestricted
-A FORWARD -s 192.168.0.185 -j allow
-A FORWARD -s 192.168.0.247 -j allow

# Allow restricted  PC's to access these sites
-A FORWARD -s 192.168.0/24 -d 1.2.3.4 -p tcp -m tcp --sport 80 -j allow
-A FORWARD -s 192.168.0/24 -d 1.2.3.4 -p tcp -m tcp --dport 80 -j allow

# Restricted access to IP addresses
-A FORWARD -s 192.168.0/24 -i eth0 -j restricted

-A allow -j ACCEPT
-A restricted -j DROP
-A firewall -j DROP

Again many thanks for your help

CT


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Rob Sterenborg
Sent: Tuesday, July 08, 2003 4:58 PM
To: netfilter@lists.netfilter.org
Subject: RE: Restricted Access


> All my clients have fixed IP's
> And are on an internal net of 192.168.0/24

> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

> # Ban this PC
> -A FORWARD -s 192.168.0.245 -i eth0 -j firewall
> 
> This is the bit that I cant get to work
> I can stop the client 192.168.0.245 to get the net at all
> with the above rule But then I want that client to be able to 
> go to 1.2.3.4
> 
> -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m tcp --sport
> 80 -j ACCEPT -A FORWARD -s 192.168.0.245 -d 1.2.3.4 -p tcp -m 
> tcp --dport 80 -j ACCEPT


Maybe you don't use the correct order for your rules ?
You have to tell iptables about the restricted client first, after that
about the unrestricted clients.
Rules are evaluated in the order you entered them.


# Drop everything that doesn't have a rule for it
#   If you didn't tell the complete story, it may break other things ;)
iptables -P FORWARD DROP

# Accept related and established
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Tell iptables what to accept from the restricted client
# From what I see you want to let the restricted client connect to
#   port 80/tcp on 1.2.3.4.
# Are you sure it connects *from* port 80/tcp ?? If not, don't use
--sport.
# Drop everything else from the restricted client
iptables -A FORWARD -i eth0 -s 192.168.0.245 -d 1.2.3.4 -p tcp --dport
80 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.0.245 -j DROP

# Accept everything from the other clients (you already dropped
#   the restricted client here..)
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT

# The MASQ rule
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 [-o <if_out>] -j
MASQUERADE


Rob.