* [LARTC] Firewalling certain IP ranges
@ 2004-08-21 13:14 Patrick Coleman
2004-08-22 2:22 ` gypsy
0 siblings, 1 reply; 2+ messages in thread
From: Patrick Coleman @ 2004-08-21 13:14 UTC (permalink / raw)
To: lartc
Hi,
I have a linux router which is connected to a local network and the internet (eth0 and eth1). My
local network (eth0) consists of two IP ranges, which are assigned by a DHCP server on my router -
10.0.0.2-10.0.0.19 for trusted clients (MAC addresses are known) and 10.0.0.20-10.0.0.254 for
untrusted clients (MAC addresses are not known). These two ranges share the same physical network,
which is partly wireless, hence the trusted/untrusted hosts setup.
Some trusted clients are on the wireless network, most are on wired. All untrusted clients are on
the wireless network.
How can I provide some services, but no internet access to untrusted hosts, yet still allow trusted
clients on wireless to access the internet (clearly I cant simply firewall off the access point)?
Thanks in advance,
Patrick
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] Firewalling certain IP ranges
2004-08-21 13:14 [LARTC] Firewalling certain IP ranges Patrick Coleman
@ 2004-08-22 2:22 ` gypsy
0 siblings, 0 replies; 2+ messages in thread
From: gypsy @ 2004-08-22 2:22 UTC (permalink / raw)
To: lartc
Patrick Coleman wrote:
> How can I provide some services, but no internet access to untrusted hosts, yet still allow trusted
> clients on wireless to access the internet (clearly I cant simply firewall off the access point)?
>
> Thanks in advance,
> Patrick
Why not? That's exactly what I do at work.
The work setup is a linux box with 2 NICs; eth0 internal NW and eth1
external. DNAT. The firewall script reads /etc/firewall/ACL which
contains the IPs of the machines allowed internet access. More
specifically, ACL contains:
192.168.1.4;tcp;1024:65535;-m mport
--dports;20:23,25,80,110,113,119,123,143,443,873
192.168.1.4;udp;123;--dport;123
192.168.1.4;tcp;1024:65535;--dport;1024:65535
192.168.1.4;udp;1024:65535;--dport;1024:65535
Note that I chose semicolon as a delimiter because it was the first
thing I thought of that would work. I have as many of those 4-line
entries as there are allowed computers. Most have a much more limited
first line --dport list than I show here because they don't need all
those services.
Then the applicable part of the iptables script:
# Access control:
if [ -f /etc/firewall/ACL ]; then
while read FWD ; do
IP=`echo "$FWD" | cut -d ';' -f 1`
PROTO=`echo "$FWD" | cut -d ';' -f 2`
SPORT=`echo "$FWD" | cut -d ';' -f 3`
PLURAL=`echo "$FWD" | cut -d ';' -f 4` # either "--dport" or "-m
mport --dports"
DPORT=`echo "$FWD" | cut -d ';' -f 5 | cut -d '#' -f 1`
iptables -A FORWARD -i $IFI -o $IFE -s $IP -p $PROTO --sport $SPORT
$PLURAL $DPORT -j ACCEPT
done </etc/firewall/ACL
fi
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The DPORT line allows "inline" comments at the end of any line. $IFE
and $IFI should be self explanatory. Everything on the FORWARD chain
that is not specifically allowed is denied (DROPped).
HTH
gypsy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-08-22 2:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-21 13:14 [LARTC] Firewalling certain IP ranges Patrick Coleman
2004-08-22 2:22 ` gypsy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox