From mboxrd@z Thu Jan 1 00:00:00 1970 From: gypsy Date: Sun, 22 Aug 2004 02:22:39 +0000 Subject: Re: [LARTC] Firewalling certain IP ranges Message-Id: <4128036F.F6FC0583@iswest.com> List-Id: References: <41274A9D.8020002@iinet.net.au> In-Reply-To: <41274A9D.8020002@iinet.net.au> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Patrick Coleman wrote: > How can I provide some services, but no internet access to untrusted hosts, yet still allow trusted > clients on wireless to access the internet (clearly I cant simply firewall off the access point)? > > Thanks in advance, > Patrick Why not? That's exactly what I do at work. The work setup is a linux box with 2 NICs; eth0 internal NW and eth1 external. DNAT. The firewall script reads /etc/firewall/ACL which contains the IPs of the machines allowed internet access. More specifically, ACL contains: 192.168.1.4;tcp;1024:65535;-m mport --dports;20:23,25,80,110,113,119,123,143,443,873 192.168.1.4;udp;123;--dport;123 192.168.1.4;tcp;1024:65535;--dport;1024:65535 192.168.1.4;udp;1024:65535;--dport;1024:65535 Note that I chose semicolon as a delimiter because it was the first thing I thought of that would work. I have as many of those 4-line entries as there are allowed computers. Most have a much more limited first line --dport list than I show here because they don't need all those services. Then the applicable part of the iptables script: # Access control: if [ -f /etc/firewall/ACL ]; then while read FWD ; do IP=`echo "$FWD" | cut -d ';' -f 1` PROTO=`echo "$FWD" | cut -d ';' -f 2` SPORT=`echo "$FWD" | cut -d ';' -f 3` PLURAL=`echo "$FWD" | cut -d ';' -f 4` # either "--dport" or "-m mport --dports" DPORT=`echo "$FWD" | cut -d ';' -f 5 | cut -d '#' -f 1` iptables -A FORWARD -i $IFI -o $IFE -s $IP -p $PROTO --sport $SPORT $PLURAL $DPORT -j ACCEPT done