Linux as gateway/packet filter

I have a few computers on my network (company.ee) for which I want to disallow port 80 and port 21 connections outside .ee domain.

I mean that these computers would have full access but only inside .ee. So Linux should act as a gateway and prevent any traffic between those few computers and any computer's which is outside .ee domain ports 80 and 21.

And they all must use real IP-s because I sometimes want to make ftp server or game server on them.

ipchains doesn't allow to use DNS (i.e. I can't say there !ee port 80 DENY) or does it?
LVL 1
hennoAsked:
Who is Participating?
 
OarokusConnect With a Mentor Commented:
It is possible to do this with ipchains.
I had a simular problem keeping people
on the internet from connecting to my
ftp server, while allowing access to
the machines on my LAN.  

My solution was to create a firewall
(with ipchains) that would filter out
any packets going to my FTP server
that was not coming from the LAN.
I did it like this:

ipchains -A input -p TCP -s ! 192.95.207.0/24 ftp -j DENY


-p TCP stands for the TCP protocol

-s stands for source (where the packets
are coming from)

! 192.95.207.0/24 stands for all
addresses that are NOT(!) inbetween
192.95.207.0 - 192.95.207.225

I came up with this since all of the
machines on the LAN all have IP
addresses within the 192.95.207.* range.

ftp is the port[21] (this can be a number as well)

And -j DENY = jump to DENY

With your problem I would use the command:

ipchains -A input -p TCP -s ! 192.95.207.0/24 ftp -j DENY

but replace the address with an
address that would apply to your net.

Then do the command again but this time
replace ftp with www or 80 to block
off the other port.







   
0
 
mmipsCommented:
Yes you can filter requests from reaching the outside from your local domain...But, not the  way you are trying to use it but check-out the ipchains HOW-TO..under section 7. A Serious Example.
 This should give you all the information necessary to set-up your internal filtering rules...

http://howto.tucows.com/LDP/HOWTO/IPCHAINS-HOWTO.html
0
 
bughead1Commented:
Another good site to check out for tips on firewalls/gateways/routers is http://www.nanux.com.
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
hennoAuthor Commented:
Why can't linux check where the packets from those computers are going and just not pass them on?
0
 
hennoAuthor Commented:
Ok, how do I specify the whole *.ee domain?
0
 
OarokusCommented:
replace the address with an address
that would apply to your net.

Instead of 192.95.207.0/24 use ee
0
 
hennoAuthor Commented:
I still can't specify the *.ee domain

unknown host/network
0
 
OarokusCommented:
I didn't say *.ee is said ee
0
 
OarokusCommented:
Just try this:

ipchains -A input -p TCP -s ! ee ftp -j DENY
0
All Courses

From novice to tech pro — start learning today.