From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
Date: Fri, 29 Nov 2002 05:48:01 +0000
Subject: Re: [LARTC] additional routes?
Message-Id: <marc-lartc-103854898002622@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-103849751630293@msgid-missing>
In-Reply-To: <marc-lartc-103849751630293@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org


Tomas,

I'm glad to be of help.

 : if i want to allow hosts from network A to reach and talk to hosts on
 : network C, but _not_ hosts on network B, is this best controlled by
 : iptables? since i now probably need to specify the route to network B
 : in that very table, i cannot deny network A hosts to talk to network B
 : with ip, or can i?

I'd suggest you use iptables and a prohibit route:

  http://plorf.net/linux-ip/html/tools-ip-route.htm#EX-TOOLS-IP-ROUTE-ADD-FROM

Here's an example:

# ip route add prohibit x.x.x.x/24 from y.y.y.y/24

I would be inclined to block packets at the packet filter as well.

# iptables -t filter -A FORWARD -d x.x.x.x/24 -s y.y.y.y/24 -j REJECT

Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/