* Forward Rule, Client access only specific ip's, rest of world access client unrestricted.
@ 2011-04-26 12:17 Becskei Robert
2011-04-26 16:05 ` Grant Taylor
0 siblings, 1 reply; 7+ messages in thread
From: Becskei Robert @ 2011-04-26 12:17 UTC (permalink / raw)
To: netfilter
Hello List,
I have a problem here, I have a client, which should only be able to access
a few ip's and not the rest. But the rest of my network should be allowed to
access this client unrestricted (that is if they initiate the connection).
Currently I'm using the following rules, which indeed allows client to only
access a few ip's , the rest is dropped. Which is ok for client , but not ok
for lan since if someone else wants to access the client they are also
dropped.
1. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.55 -j ACCEPT
2. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.15 -j ACCEPT
3. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.49 -j ACCEPT
4. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.51 -j ACCEPT
5. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.44 -j ACCEPT
6. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.33 -j ACCEPT
7. iptables -A FORWARD -s 192.168.220.28 -j DROP
What I want is :
- Client should be able to only access a few selected ip's (see above)
- Client should not be able to access anything else
- BUT! If someone from the network initiates a connection to the client, be
it ping, vnc, or whatever it should be allowed ( I don't know how to do
this)
If someone can please help me :) . Thank you
Robert
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.
2011-04-26 12:17 Forward Rule, Client access only specific ip's, rest of world access client unrestricted Becskei Robert
@ 2011-04-26 16:05 ` Grant Taylor
2011-04-26 20:03 ` Becskei Robert
0 siblings, 1 reply; 7+ messages in thread
From: Grant Taylor @ 2011-04-26 16:05 UTC (permalink / raw)
To: Mail List - Netfilter
On 04/26/11 07:17, Becskei Robert wrote:
> I have a problem here, I have a client, which should only be able to access
> a few ip's and not the rest. But the rest of my network should be allowed to
> access this client unrestricted (that is if they initiate the connection).
...
> What I want is :
> - Client should be able to only access a few selected ip's (see above)
> - Client should not be able to access anything else
> - BUT! If someone from the network initiates a connection to the client, be
> it ping, vnc, or whatever it should be allowed ( I don't know how to do
> this)
This should be possible and relatively easy to do.
> If someone can please help me :) . Thank you
You are asking for stateful packet inspection, just like you are
probably using to filter traffic coming back in from the internet.
Try adding a rule like the following somewhere before your DROP rule.
iptables -A FORWARD -s 192.168.220.28 -m state --state
ESTABLISHED,RELATED -j ACCEPT
This will allow reply traffic back out while still allowing you to
control everything else like you are wanting to do.
Grant. . . .
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.
2011-04-26 16:05 ` Grant Taylor
@ 2011-04-26 20:03 ` Becskei Robert
2011-04-26 20:49 ` Grant Taylor
0 siblings, 1 reply; 7+ messages in thread
From: Becskei Robert @ 2011-04-26 20:03 UTC (permalink / raw)
To: 'Grant Taylor'; +Cc: netfilter
Thank you very much Grant!,
I've did it like this :
iptables -A FORWARD -s 192.168.220.10 -d 192.168.200.200 -j ACCEPT
iptables -A FORWARD -s 192.168.220.10 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A FORWARD -s 192.168.220.10 -j DROP
Trough OpenVPN the device connected (192.168.220.10) , I was able to access
192.168.200.200 from the device a webpage, then when I've
Tried to access 192.168.205.15 another webpage it timed out , probably drop.
Then I've tried to ping device from 192.168.200.200 , it worked.
Then I've tried to ping device from 192.168.201.195 , it worked.
I'm only writing this back, because I'm double / triple checking that I've
did it the right way.
Sincerely
Robert
-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Grant Taylor
Sent: Tuesday, April 26, 2011 18:06
To: Mail List - Netfilter
Subject: Re: Forward Rule, Client access only specific ip's, rest of world
access client unrestricted.
On 04/26/11 07:17, Becskei Robert wrote:
> I have a problem here, I have a client, which should only be able to
access
> a few ip's and not the rest. But the rest of my network should be allowed
to
> access this client unrestricted (that is if they initiate the connection).
...
> What I want is :
> - Client should be able to only access a few selected ip's (see above)
> - Client should not be able to access anything else
> - BUT! If someone from the network initiates a connection to the client,
be
> it ping, vnc, or whatever it should be allowed ( I don't know how to do
> this)
This should be possible and relatively easy to do.
> If someone can please help me :) . Thank you
You are asking for stateful packet inspection, just like you are
probably using to filter traffic coming back in from the internet.
Try adding a rule like the following somewhere before your DROP rule.
iptables -A FORWARD -s 192.168.220.28 -m state --state
ESTABLISHED,RELATED -j ACCEPT
This will allow reply traffic back out while still allowing you to
control everything else like you are wanting to do.
Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.
2011-04-26 20:03 ` Becskei Robert
@ 2011-04-26 20:49 ` Grant Taylor
2011-04-26 21:25 ` Becskei Robert
0 siblings, 1 reply; 7+ messages in thread
From: Grant Taylor @ 2011-04-26 20:49 UTC (permalink / raw)
To: Mail List - Netfilter
On 04/26/11 15:03, Becskei Robert wrote:
> Thank you very much Grant!,
You are welcome.
> I'm only writing this back, because I'm double / triple checking that
> I've did it the right way.
It sounds like things are working the way you want. Is this not the
case? (I can't tell for sure.)
Grant. . . .
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.
2011-04-26 20:49 ` Grant Taylor
@ 2011-04-26 21:25 ` Becskei Robert
2011-04-26 21:34 ` Grant Taylor
0 siblings, 1 reply; 7+ messages in thread
From: Becskei Robert @ 2011-04-26 21:25 UTC (permalink / raw)
To: 'Grant Taylor'; +Cc: netfilter
Yeah , they are working all right. I was just replying in case I
misunderstood something :) .
But all is working, and since you did not reply with a you #!@#!@ I told you
what to do... I guess I did it how I was supposed to.
Thank you again. This works, guess this thread can be discontinued.
Thank you!
Robert
-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Grant Taylor
Sent: Tuesday, April 26, 2011 22:50
To: Mail List - Netfilter
Subject: Re: Forward Rule, Client access only specific ip's, rest of world
access client unrestricted.
On 04/26/11 15:03, Becskei Robert wrote:
> Thank you very much Grant!,
You are welcome.
> I'm only writing this back, because I'm double / triple checking that
> I've did it the right way.
It sounds like things are working the way you want. Is this not the
case? (I can't tell for sure.)
Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.
2011-04-26 21:25 ` Becskei Robert
@ 2011-04-26 21:34 ` Grant Taylor
0 siblings, 0 replies; 7+ messages in thread
From: Grant Taylor @ 2011-04-26 21:34 UTC (permalink / raw)
To: Mail List - Netfilter
On 04/26/11 16:25, Becskei Robert wrote:
> Yeah , they are working all right. I was just replying in case I
> misunderstood something :) .
Ok.
> But all is working, and since you did not reply with a you #!@#!@ I
> told you what to do... I guess I did it how I was supposed to.
Yep you did.
I wouldn't do that to someone. As soon as I did, I'd be the one asking
for help the following week.
> Thank you again. This works, guess this thread can be discontinued.
>
> Thank you!
You are welcome.
Grant. . . .
^ permalink raw reply [flat|nested] 7+ messages in thread
* Forward Rule, Client access only specific ip's, rest of world access client unrestricted.
@ 2011-04-26 13:01 Becskei Robert
0 siblings, 0 replies; 7+ messages in thread
From: Becskei Robert @ 2011-04-26 13:01 UTC (permalink / raw)
To: netfilter
Hello List,
I have a problem here, I have a client, which should only be able to access
a few ip's and not the rest. But the rest of my network should be allowed to
access this client unrestricted (that is if they initiate the connection).
Currently I'm using the following rules, which indeed allows client to only
access a few ip's , the rest is dropped. Which is ok for client , but not ok
for lan since if someone else wants to access the client they are also
dropped.
1. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.55 -j ACCEPT
2. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.15 -j ACCEPT
3. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.49 -j ACCEPT
4. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.51 -j ACCEPT
5. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.44 -j ACCEPT
6. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.33 -j ACCEPT
7. iptables -A FORWARD -s 192.168.220.28 -j DROP
What I want is :
- Client should be able to only access a few selected ip's (see above)
- Client should not be able to access anything else
- BUT! If someone from the network initiates a connection to the client, be
it ping, vnc, or whatever it should be allowed ( I don't know how to do
this)
If someone can please help me :) . Thank you
Robert
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-04-26 21:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-26 12:17 Forward Rule, Client access only specific ip's, rest of world access client unrestricted Becskei Robert
2011-04-26 16:05 ` Grant Taylor
2011-04-26 20:03 ` Becskei Robert
2011-04-26 20:49 ` Grant Taylor
2011-04-26 21:25 ` Becskei Robert
2011-04-26 21:34 ` Grant Taylor
-- strict thread matches above, loose matches on Subject: below --
2011-04-26 13:01 Becskei Robert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).