From: buck on 14 Jun 2010 19:28 Mike Jones <luck(a)dasteem.invalid> wrote in news:pan.2010.06.14.16.14.35(a)dasteem.invalid: > > I'm looking for a method for the /client/ to be able to temporarily > restrict it's own traffic just to the router box and no further, via > IPtables. This is not going to answer your question, but perhaps it will give you some ideas. http://andthatsjazz.org/customfw.html -- buck
From: Grant Taylor on 14 Jun 2010 21:55 Mike Jones wrote: > How do I set up a stateful filter for a client machine? Very similarly to what you have below. > ATM I can restrict things to the local network, but as traffic is all > local network to the client until the router box masqerades it, the > client can still reach through the router box and out to the web, and > the reverse is true also. Um. Either I'm mis-understanding what you are wanting to do, or (to me) your rules don't translate to what you are asking. I'm thinking there are a couple of questions here. 1) How do I restrict a client to the local network only. 2) How do I do a stateful firewall? The easiest way to answer #1 above is to not give the system a default gateway. Thus it will have no route to any thing other than the local network. As far as #2 above, use simple state rules (like similar but simpler than what you have below) and drop everything else. > I'm looking for a method for the /client/ to be able to temporarily > restrict it's own traffic just to the router box and no further, via > IPtables. Especially if you are wanting something temporary, delete the default gateway. (Temporary in that it will come back on reboot / renew of DHCP lease.) > Example: > > (Where CNET="192.168.0.0-255") > > $IPT -A INPUT -i $NIC_LAN -m iprange --src-range $CNET -p tcp -m > multiport --ports $PORTS_LAN -m state --state ESTABLISHED,RELATED -j > ACCEPT > $IPT -A OUTPUT -o $NIC_LAN -m iprange --dst-range $CNET -p tcp -m > multiport --ports $PORTS_LAN -m state --state NEW,ESTABLISHED,RELATED > -j ACCEPT You shouldn't need to use the IPRange extension. The IPRange extension is meant for IP ranges that are not (CIDR) subnets. What you are wanting to do can be done with CIDR and Classful subnets. You can replace "-m iprange --src-range 192.168.0.0-255" with "-s 192.168.0.0/24". Doing so is an easier test, thus faster. What does $PORTS_LAN expand to? (It's not listed.) > ...still does internet via the router forwarding. Bah! I think the main thing that you are missing is a pair of DROP rules or a policy of DROP (plus the additional rules to allow loopback to communicate). I.e.: $IPT -A INPUT -i $NIC_LAN -j DROP $IPT -A OUTPUT -o $NIC_LAN -j DROP Grant. . . .
From: Mikhail Zotov on 15 Jun 2010 02:34 On Mon, 14 Jun 2010 16:14:36 +0000 (UTC) Mike Jones <luck(a)dasteem.invalid> wrote: > > How do I set up a stateful filter for a client machine? > > ATM I can restrict things to the local network, but as traffic is all > local network to the client until the router box masqerades it, the > client can still reach through the router box and out to the web, and > the reverse is true also. > > I'm looking for a method for the /client/ to be able to temporarily > restrict it's own traffic just to the router box and no further, via > IPtables. > > > Example: > > (Where CNET="192.168.0.0-255") > > $IPT -A INPUT -i $NIC_LAN \ > -m iprange --src-range $CNET \ > -p tcp -m multiport --ports $PORTS_LAN \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -A OUTPUT -o $NIC_LAN \ > -m iprange --dst-range $CNET \ > -p tcp -m multiport --ports $PORTS_LAN \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > ...still does internet via the router forwarding. Bah! > > Clues? What is the default policy for OUTPUT chain? I think, it should be iptables -P OUTPUT DROP in your case. -- Mikhail
First
|
Prev
|
Pages: 1 2 Prev: compiled apache module doesn't show. Next: IPtables - forwarding question (take 2) |