Using iptables with eth0

Here is my setup.

My Fedora2 gets its internet thru the Linksys router and I wanted to relieve my linksys router the job of routing(often times hangs), I wanted the Fedora2 to act as the router.  Now I wanted to prevent specific IP from my network from accessing the internet but allow them to use the remote desktop connection to our headoffice.

1. Specific IPs are allowed to browse the internet
2. Specific IPs are allowed to use Remote Desktop Connection to Head Office but not allowed to browse the internet

How should I do this trick.

thanks in advance

LVL 3
Sandy KalugdanSystems AdministratorAsked:
Who is Participating?
 
jlevieCommented:
If you examine the packet flow diagram shown at http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html you'll see that the INPUT chain rules are meaningless as far as access to Internet hosts.  That means that you'd want rules like:

#i want to allow only 192.168.0.250 to browse the net
iptables -A FORWARD -s 192.168.0.250 -d 0.0.0.0/0 -j ACCEPT

#Disallow this IP from browsing but be able to connect to the #headoffice's IP
iptables -A FORWARD -s 192.168.0.251-d <IP addr>  -j ACCEPT
0
 
jlevieCommented:
What you'll want to do is to use a default deny stance for the FORWARD chain and explicitly permit those IP's in category (1) to FORWARD to anywhere. For the users in category (2) you'll want to explicitly permit FORWARD only to the head office IP(s).
0
 
Sandy KalugdanSystems AdministratorAuthor Commented:
#I did this

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#enabled this
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#i want to allow only 192.168.0.250 to browse the net
iptables -A INPUT -s 192.168.0.250 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.250 -j ACCEPT

#Disallow this IP from browsing but be able to connect to the #headoffice's IP
iptables -A INPUT -s 192.168.0.251 -d <IP addr> -j ACCEPT
iptables -A FORWARD -s 192.168.0.251 -j ACCEPT


what do you think of this?
0
 
Sandy KalugdanSystems AdministratorAuthor Commented:
jlevie,
thanks for pointing out the diagram. actually, it is the one who answered my question.

you really are one of the best in linux security!

good day!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.