From: Mike Jones on

How do I set up a stateful filter for a client machine?

ATM I can restrict things to the local network, but as traffic is all
local network to the client until the router box masqerades it, the
client can still reach through the router box and out to the web, and the
reverse is true also.

I'm looking for a method for the /client/ to be able to temporarily
restrict it's own traffic just to the router box and no further, via
IPtables.


Example:

(Where CNET="192.168.0.0-255")

$IPT -A INPUT -i $NIC_LAN \
-m iprange --src-range $CNET \
-p tcp -m multiport --ports $PORTS_LAN \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $NIC_LAN \
-m iprange --dst-range $CNET \
-p tcp -m multiport --ports $PORTS_LAN \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

....still does internet via the router forwarding. Bah!

Clues?



XP alt.os.linux.slackware,alt.os.linux
FU alt.os.linux

--
*=( http://www.thedailymash.co.uk/
*=( For all your UK news needs.