[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 218
  • Last Modified:

iptables blocking users by ip address - fedoracore 5

Hi,

Currently we have a fc5 with squid running fine, how come when we change the "REJECT" to "ACCEPT" the users can conenct to the internet with their software. What does the line below do?

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT


Thanks
0
mikesteven
Asked:
mikesteven
  • 4
  • 3
1 Solution
 
http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

Add to the FORWARD CHAIN on the LAN interface a RULE that ACCEPTs all rules that come in on it.

I.e. all traffic that needs to be forwarded is accepted


I.e. all traffic that is not coming in to the linux box itself or generated by it is accepted by default.

I.e the users can connect to the INternet because their traffic is being forwarded to the Internet





http://iptables-tutorial.frozentux.net/iptables-tutorial.html
0
 
mikestevenAuthor Commented:
shakoush2001,

How can we set limits to which user can be forwarded? allowing all is not a good idea.


Thanks.
0
 
http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN --source 192.168.0.1 -j ACCEPT
iptables --append FORWARD --in-interface $LAN_IN --source 192.168.0.2 -j ACCEPT

finally drop all the rest
iptables --append FORWARD --in-interface $LAN_IN  -j DROP
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
mikestevenAuthor Commented:
shakoush2001,

This is great!!!, lastly can I somehow only accept request from certain ports? like applciations that connects to IM, skype, work related ports and block the games port, Hope you get what I'm trying to achieve.

Thanks!
0
 
http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN -p tcp --dport 1863 --source 192.168.0.2 -j ACCEPT

for msn for example


Note the -p tcp --dport 1863

or -p udp --dport 1232

I.e. set first if udp or tcp then the port number
0
 
mikestevenAuthor Commented:
shakoush2001,

Thanks a million, does this mean I have to open one port at a time for every applciation and each user?

or there's a easier way to do this?
0
 
http:// thevpn.guruCommented:
you can open multiple ports for example

iptables --append FORWARD --in-interface $LAN_IN -p tcp --dport 22:80 --source 192.168.0.2 -j ACCEPT

would allow all ports between 22->80 including 22 and 80

or


iptables --append FORWARD --in-interface $LAN_IN -p tcp --dports 21,25,80 --source 192.168.0.2 -j ACCEPT

for ports 21, 25 or 80 exclusively
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now