IPtables - forwarding question
in [Linux Help]
|
From: Mike Jones on 14 Jun 2010 12:14 How do I set up a stateful filter for a client machine? ATM I can restrict things to the local network, but as traffic is all local network to the client until the router box masqerades it, the client can still reach through the router box and out to the web, and the reverse is true also. I'm looking for a method for the /client/ to be able to temporarily restrict it's own traffic just to the router box and no further, via IPtables. Example: (Where CNET="192.168.0.0-255") $IPT -A INPUT -i $NIC_LAN \ -m iprange --src-range $CNET \ -p tcp -m multiport --ports $PORTS_LAN \ -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o $NIC_LAN \ -m iprange --dst-range $CNET \ -p tcp -m multiport --ports $PORTS_LAN \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ....still does internet via the router forwarding. Bah! Clues? XP alt.os.linux.slackware,alt.os.linux FU alt.os.linux -- *=( http://www.thedailymash.co.uk/ *=( For all your UK news needs.
From: Pascal Hambourg on 14 Jun 2010 12:29 Hello, Mike Jones a �crit : > How do I set up a stateful filter for a client machine? > > ATM I can restrict things to the local network, but as traffic is all > local network to the client until the router box masqerades it, the > client can still reach through the router box and out to the web, and the > reverse is true also. > > I'm looking for a method for the /client/ to be able to temporarily > restrict it's own traffic just to the router box and no further, via > IPtables. > > Example: > > (Where CNET="192.168.0.0-255") > > $IPT -A INPUT -i $NIC_LAN \ > -m iprange --src-range $CNET \ If the IP range is a prefix, you can simply use -s/d $RANGE : -s 192.168.0.0/24 > -p tcp -m multiport --ports $PORTS_LAN \ What is $PORTS_LAN ? > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -A OUTPUT -o $NIC_LAN \ > -m iprange --dst-range $CNET \ > -p tcp -m multiport --ports $PORTS_LAN \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > ...still does internet via the router forwarding. Bah! > > Clues? Is this the complete ruleset or are there other rules ? What are the default policies ?
From: WildWizard on 14 Jun 2010 16:25 On 15/06/10 02:14, Mike Jones wrote: > > How do I set up a stateful filter for a client machine? > > ATM I can restrict things to the local network, but as traffic is all > local network to the client until the router box masqerades it, the > client can still reach through the router box and out to the web, and the > reverse is true also. > > I'm looking for a method for the /client/ to be able to temporarily > restrict it's own traffic just to the router box and no further, via > IPtables. > > > Example: > > (Where CNET="192.168.0.0-255") > > $IPT -A INPUT -i $NIC_LAN \ > -m iprange --src-range $CNET \ > -p tcp -m multiport --ports $PORTS_LAN \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -A OUTPUT -o $NIC_LAN \ > -m iprange --dst-range $CNET \ > -p tcp -m multiport --ports $PORTS_LAN \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > ...still does internet via the router forwarding. Bah! > > Clues? Does this include a policy to drop packets that don't match those rules?
From: Mike Jones on 14 Jun 2010 19:08 Responding to Pascal Hambourg: > Hello, > > Mike Jones a écrit : >> How do I set up a stateful filter for a client machine? >> >> ATM I can restrict things to the local network, but as traffic is all >> local network to the client until the router box masqerades it, the >> client can still reach through the router box and out to the web, and >> the reverse is true also. >> >> I'm looking for a method for the /client/ to be able to temporarily >> restrict it's own traffic just to the router box and no further, via >> IPtables. >> >> Example: >> >> (Where CNET="192.168.0.0-255") >> >> $IPT -A INPUT -i $NIC_LAN \ >> -m iprange --src-range $CNET \ > > If the IP range is a prefix, you can simply use -s/d $RANGE : -s > 192.168.0.0/24 > >> -p tcp -m multiport --ports $PORTS_LAN \ > > What is $PORTS_LAN ? > >> -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o >> $NIC_LAN \ >> -m iprange --dst-range $CNET \ >> -p tcp -m multiport --ports $PORTS_LAN \ -m state --state >> NEW,ESTABLISHED,RELATED -j ACCEPT >> >> ...still does internet via the router forwarding. Bah! >> >> Clues? > > Is this the complete ruleset or are there other rules ? What are the > default policies ? Oops! Posted in a rush. I'll do this better tommorrow, after some sleep. %) -- *=( http://www.thedailymash.co.uk/ *=( For all your UK news needs.
From: Mike Jones on 14 Jun 2010 19:08 Responding to WildWizard: > On 15/06/10 02:14, Mike Jones wrote: >> >> How do I set up a stateful filter for a client machine? >> >> ATM I can restrict things to the local network, but as traffic is all >> local network to the client until the router box masqerades it, the >> client can still reach through the router box and out to the web, and >> the reverse is true also. >> >> I'm looking for a method for the /client/ to be able to temporarily >> restrict it's own traffic just to the router box and no further, via >> IPtables. >> >> >> Example: >> >> (Where CNET="192.168.0.0-255") >> >> $IPT -A INPUT -i $NIC_LAN \ >> -m iprange --src-range $CNET \ >> -p tcp -m multiport --ports $PORTS_LAN \ -m state --state >> ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o $NIC_LAN \ >> -m iprange --dst-range $CNET \ >> -p tcp -m multiport --ports $PORTS_LAN \ -m state --state >> NEW,ESTABLISHED,RELATED -j ACCEPT >> >> ...still does internet via the router forwarding. Bah! >> >> Clues? > > Does this include a policy to drop packets that don't match those rules? Oops! Posted in a rush. I'll do this better tommorrow, after some sleep. %) -- *=( http://www.thedailymash.co.uk/ *=( For all your UK news needs.
|
Next
|
Last
Pages: 1 2 Prev: compiled apache module doesn't show. Next: IPtables - forwarding question (take 2) |