From: gypsy <gypsy@iswest.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Firewalling certain IP ranges
Date: Sun, 22 Aug 2004 02:22:39 +0000 [thread overview]
Message-ID: <4128036F.F6FC0583@iswest.com> (raw)
In-Reply-To: <41274A9D.8020002@iinet.net.au>
Patrick Coleman wrote:
> How can I provide some services, but no internet access to untrusted hosts, yet still allow trusted
> clients on wireless to access the internet (clearly I cant simply firewall off the access point)?
>
> Thanks in advance,
> Patrick
Why not? That's exactly what I do at work.
The work setup is a linux box with 2 NICs; eth0 internal NW and eth1
external. DNAT. The firewall script reads /etc/firewall/ACL which
contains the IPs of the machines allowed internet access. More
specifically, ACL contains:
192.168.1.4;tcp;1024:65535;-m mport
--dports;20:23,25,80,110,113,119,123,143,443,873
192.168.1.4;udp;123;--dport;123
192.168.1.4;tcp;1024:65535;--dport;1024:65535
192.168.1.4;udp;1024:65535;--dport;1024:65535
Note that I chose semicolon as a delimiter because it was the first
thing I thought of that would work. I have as many of those 4-line
entries as there are allowed computers. Most have a much more limited
first line --dport list than I show here because they don't need all
those services.
Then the applicable part of the iptables script:
# Access control:
if [ -f /etc/firewall/ACL ]; then
while read FWD ; do
IP=`echo "$FWD" | cut -d ';' -f 1`
PROTO=`echo "$FWD" | cut -d ';' -f 2`
SPORT=`echo "$FWD" | cut -d ';' -f 3`
PLURAL=`echo "$FWD" | cut -d ';' -f 4` # either "--dport" or "-m
mport --dports"
DPORT=`echo "$FWD" | cut -d ';' -f 5 | cut -d '#' -f 1`
iptables -A FORWARD -i $IFI -o $IFE -s $IP -p $PROTO --sport $SPORT
$PLURAL $DPORT -j ACCEPT
done </etc/firewall/ACL
fi
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The DPORT line allows "inline" comments at the end of any line. $IFE
and $IFI should be self explanatory. Everything on the FORWARD chain
that is not specifically allowed is denied (DROPped).
HTH
gypsy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2004-08-22 2:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-21 13:14 [LARTC] Firewalling certain IP ranges Patrick Coleman
2004-08-22 2:22 ` gypsy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4128036F.F6FC0583@iswest.com \
--to=gypsy@iswest.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox