allow / deny clients

allow / deny clients

[varun_saa]

Hello

My server is om Mandrake 10.1
eth0 is WAN with static IP connected to 512K DSL.
eth1 is LAN - 192.168.0.0/24.

I am doing a masq/nat on eth0 as follows:

# Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE


My subnets are as follows :

192.168.0.0/24
192.168.21.0/24

I would like to allow / deny access to the net to clients
based on : 

1. client IPs.

or

2. client IP + MAC

What kind of rules to write

Do you start with blocking all IPs
and then write the allow rules ?

Or directly write filtering rule
and automatically others will be
rejected?

Thanks

Varun

Re: allow / deny clients

[Taylor, Grant]

> I would like to allow / deny access to the net to clients
> based on : 
> 
> 1. client IPs.
> 
> or
> 
> 2. client IP + MAC

Rather than denying based on IP, especially in a DHCP environment where IPs could change, I would deny based on source MAC address.  You would write a rule like this:

iptables -t filter -A FORWARD -o eth0 -m mac --mac-source 01:23:45:67:89:ab -j ACCEPT

This rule will allow the system with the mack address of 01:23:45:67:89:ab to access the internet.  I would probably recommend that you add some filters to check that the destination IP and possibly port are valid.  To do this you might want to jump to another chain to do the checking for you or have all traffic pass through that chain before hand.

iptables -t filter -A FORWARD -o eth0 -m mac --mac-source 01:23:45:67:89:ab -j DstIPandPortCheck

This would be such a rule to jump to the DstIPandPortCheck chain to do any additional validation.



Grant. . . .