Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

[Becskei Robert]

Hello List,

I have a problem here, I have a client, which should only be able to access
a few ip's and not the rest. But the rest of my network should be allowed to
access this client unrestricted (that is if they initiate the connection).

Currently I'm using the following rules, which indeed allows client to only
access a few ip's , the rest is dropped. Which is ok for client , but not ok
for lan since if someone else wants to access the client they are also
dropped.

1. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.55 -j ACCEPT
2. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.15 -j ACCEPT
3. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.49 -j ACCEPT
4. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.51 -j ACCEPT
5. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.44 -j ACCEPT
6. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.33 -j ACCEPT
7. iptables -A FORWARD -s 192.168.220.28 -j DROP

What I want is :
- Client should be able to only access a few selected ip's (see above)
- Client should not be able to access anything else
- BUT! If someone from the network initiates a connection to the client, be
it ping, vnc, or whatever it should be allowed ( I don't know how to do
this)


If someone can please help me :) . Thank you

Robert

Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

[Becskei Robert]

Hello List,

I have a problem here, I have a client, which should only be able to access
a few ip's and not the rest. But the rest of my network should be allowed to
access this client unrestricted (that is if they initiate the connection).

Currently I'm using the following rules, which indeed allows client to only
access a few ip's , the rest is dropped. Which is ok for client , but not ok
for lan since if someone else wants to access the client they are also
dropped.

1. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.55 -j ACCEPT
2. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.15 -j ACCEPT
3. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.49 -j ACCEPT
4. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.51 -j ACCEPT
5. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.44 -j ACCEPT
6. iptables -A FORWARD -s 192.168.220.28 -d 192.168.205.33 -j ACCEPT
7. iptables -A FORWARD -s 192.168.220.28 -j DROP

What I want is :
- Client should be able to only access a few selected ip's (see above)
- Client should not be able to access anything else
- BUT! If someone from the network initiates a connection to the client, be
it ping, vnc, or whatever it should be allowed ( I don't know how to do
this)


If someone can please help me :) . Thank you

Robert

Re: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

[Grant Taylor]

On 04/26/11 07:17, Becskei Robert wrote:
> I have a problem here, I have a client, which should only be able to access
> a few ip's and not the rest. But the rest of my network should be allowed to
> access this client unrestricted (that is if they initiate the connection).
...
> What I want is :
> - Client should be able to only access a few selected ip's (see above)
> - Client should not be able to access anything else
> - BUT! If someone from the network initiates a connection to the client, be
> it ping, vnc, or whatever it should be allowed ( I don't know how to do
> this)

This should be possible and relatively easy to do.

> If someone can please help me :) . Thank you

You are asking for stateful packet inspection, just like you are 
probably using to filter traffic coming back in from the internet.

Try adding a rule like the following somewhere before your DROP rule.

iptables -A FORWARD -s 192.168.220.28 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

This will allow reply traffic back out while still allowing you to 
control everything else like you are wanting to do.



Grant. . . .

RE: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

[Becskei Robert]

Thank you very much Grant!,

I've did it like this :

iptables -A FORWARD -s 192.168.220.10 -d 192.168.200.200 -j ACCEPT
iptables -A FORWARD -s 192.168.220.10 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A FORWARD -s 192.168.220.10 -j DROP

Trough OpenVPN the device connected (192.168.220.10) , I was able to access
192.168.200.200 from the device a webpage, then when I've
Tried to access 192.168.205.15 another webpage it timed out , probably drop.

Then I've tried to ping device from 192.168.200.200 , it worked.
Then I've tried to ping device from 192.168.201.195 , it worked.

I'm only writing this back, because I'm double / triple checking that I've
did it the right way. 

Sincerely
Robert 



-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Grant Taylor
Sent: Tuesday, April 26, 2011 18:06
To: Mail List - Netfilter
Subject: Re: Forward Rule, Client access only specific ip's, rest of world
access client unrestricted.

On 04/26/11 07:17, Becskei Robert wrote:
> I have a problem here, I have a client, which should only be able to
access
> a few ip's and not the rest. But the rest of my network should be allowed
to
> access this client unrestricted (that is if they initiate the connection).
...
> What I want is :
> - Client should be able to only access a few selected ip's (see above)
> - Client should not be able to access anything else
> - BUT! If someone from the network initiates a connection to the client,
be
> it ping, vnc, or whatever it should be allowed ( I don't know how to do
> this)

This should be possible and relatively easy to do.

> If someone can please help me :) . Thank you

You are asking for stateful packet inspection, just like you are 
probably using to filter traffic coming back in from the internet.

Try adding a rule like the following somewhere before your DROP rule.

iptables -A FORWARD -s 192.168.220.28 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

This will allow reply traffic back out while still allowing you to 
control everything else like you are wanting to do.



Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

[Grant Taylor]

On 04/26/11 15:03, Becskei Robert wrote:
> Thank you very much Grant!,

You are welcome.

> I'm only writing this back, because I'm double / triple checking that
> I've did it the right way.

It sounds like things are working the way you want.  Is this not the 
case?  (I can't tell for sure.)



Grant. . . .

RE: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

[Becskei Robert]

Yeah , they are working all right. I was just replying in case I
misunderstood something :) .

But all is working, and since you did not reply with a you #!@#!@ I told you
what to do... I guess I did it how I was supposed to.

Thank you again. This works, guess this thread can be discontinued.

Thank you!

Robert

-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Grant Taylor
Sent: Tuesday, April 26, 2011 22:50
To: Mail List - Netfilter
Subject: Re: Forward Rule, Client access only specific ip's, rest of world
access client unrestricted.

On 04/26/11 15:03, Becskei Robert wrote:
> Thank you very much Grant!,

You are welcome.

> I'm only writing this back, because I'm double / triple checking that
> I've did it the right way.

It sounds like things are working the way you want.  Is this not the 
case?  (I can't tell for sure.)



Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Forward Rule, Client access only specific ip's, rest of world access client unrestricted.

[Grant Taylor]

On 04/26/11 16:25, Becskei Robert wrote:
> Yeah , they are working all right. I was just replying in case I
> misunderstood something :) .

Ok.

> But all is working, and since you did not reply with a you #!@#!@ I
> told you what to do... I guess I did it how I was supposed to.

Yep you did.

I wouldn't do that to someone.  As soon as I did, I'd be the one asking 
for help the following week.

> Thank you again. This works, guess this thread can be discontinued.
>
> Thank you!

You are welcome.



Grant. . . .