[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP-Tables Question



On Fri, Jan 28, 2005 at 12:19:15PM +0100, Omar wrote:
> Hello all,
>   My question is how do I restrict access for the IP address 
> 192.168.1.2 since it is a server, and it should not be able to access 
> the internet or be accessible from the internet.  It's a Windows2002 
> server, even-though the gateway address is entered incorrectly it still 
> connects to the internet  But it should be accessible from the internal 
> network. below you will find the iptables -L, route, and the 
> iptables.rules. This company has multiple locations, and each location 
> with it's own IP 192.168.1.0 192.168.1.0 and so on...
> So 192.168.1.2 should not reach the net, and should not be reachable 
> from the net, but it should be reachable from the internal network...
>   I am pretty new to using linux routers, any and all help is 
> appreciated ...

it's on a private address, so it's not reachable from the net by default.

so, all you have to do is make sure it doesn't get masqueraded.

the following extra rules may do the job.

(NOTE: untested, but should work in theory, which is always identical to
practice, isn't it :)

> Thanks in Advance
> 
> iptables.rules
> # Generated by iptables-save v1.2.7a on Thu Jul 22 12:00:52 2004
> *nat
> :PREROUTING ACCEPT [310:17397]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination 
> 192.168.1.101:
> 3389

you don't want to masquerade packets from 192.168.1.2, so insert the following
rule here (note: it is important that it comes before the rule which
masquerades the rest of 192.168.1.0/24).

-A POSTROUTING -s 192.168.1.2/32 -o eth0 -j DROP

> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 192.168.3.0/255.255.255.0 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 192.168.4.0/255.255.255.0 -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Thu Jul 22 12:00:52 2004
> # Generated by iptables-save v1.2.7a on Thu Jul 22 12:00:52 2004
> *mangle
> :PREROUTING ACCEPT [4871:2022756]
> :INPUT ACCEPT [27:3503]
> :FORWARD ACCEPT [4839:2018537]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [4839:2018537]
> COMMIT
> # Completed on Thu Jul 22 12:00:52 2004
> # Generated by iptables-save v1.2.7a on Thu Jul 22 12:00:52 2004
> *filter
> :INPUT ACCEPT [27:3503]
> :FORWARD ACCEPT [4839:2018537]
> :OUTPUT ACCEPT [0:0]

insert the following two rules here.  the first prevents 192.168.0.2 from
sending packets to anywhere but the local net.  the second allows any host in
the local net to reach any other host on the LAN.  (again, the order of rules
is significant)

-A INPUT -s 192.168.1.2/32 -d ! 192.168.0.0/255.255.0.0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.0.0/255.255.0.0 -j ACCEPT

> -A INPUT -s 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 10.0.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 82.150.37.0/255.255.255.128 -p tcp -m tcp --dport 22 -j 
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j DROP
> COMMIT
> # Completed on Thu Jul 22 12:00:52 2004


> 
> root@venus:~# iptables -L

note: to show nat rules, "iptables -t nat -L".  and the "-n" arg to iptables
is useful, it prevents delays trying to resolve any IP or network addresses in
the rules.



hope that helps.  the idea is sound, even if the untested example rules i
supplied don't work.  if they don't, experiment with systematic variations of
them until you find what does work.  and then figure out what the difference
was so that you know the answer rather than just rely on guesswork and magic.

craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)



Reply to: