I'm trying to set up a firewall with ipchains on a dialin server which would allow internet access but limit access to the LAN. The dialup server is a different machine than the gateway so I need some way of denying packets that are going to the local network.I tried to use the
ipchains -A output -i eth0 -d ! x.x.x.x
directive, where x.x.x.x is the base address of the LAN as in 192.168.8.0 but this does not work. I have a statement with Masquerading as well, but that doesn't work either(this statement may be wrong though...) I've also tried restricting access to only the gateway machine, which worked, but then I was restricted from internet access as well.
The only way I can see that it would work would be to put in individual DENY statements for each of the machines on the LAN. I really don't want to have to do this, so I was wondering if there's a way to specify a range of addresses in a DENY statement? I thought by using the base address(192.168.8.0) it would deny to all machines(192.168.8.*) but that's not the case.