iptables blocking users by ip address - fedoracore 5

Hi,

Currently we have a fc5 with squid running fine, how come when we change the "REJECT" to "ACCEPT" the users can conenct to the internet with their software. What does the line below do?

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT


Thanks
mikestevenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

Add to the FORWARD CHAIN on the LAN interface a RULE that ACCEPTs all rules that come in on it.

I.e. all traffic that needs to be forwarded is accepted


I.e. all traffic that is not coming in to the linux box itself or generated by it is accepted by default.

I.e the users can connect to the INternet because their traffic is being forwarded to the Internet





http://iptables-tutorial.frozentux.net/iptables-tutorial.html
0
mikestevenAuthor Commented:
shakoush2001,

How can we set limits to which user can be forwarded? allowing all is not a good idea.


Thanks.
0
http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN --source 192.168.0.1 -j ACCEPT
iptables --append FORWARD --in-interface $LAN_IN --source 192.168.0.2 -j ACCEPT

finally drop all the rest
iptables --append FORWARD --in-interface $LAN_IN  -j DROP
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

mikestevenAuthor Commented:
shakoush2001,

This is great!!!, lastly can I somehow only accept request from certain ports? like applciations that connects to IM, skype, work related ports and block the games port, Hope you get what I'm trying to achieve.

Thanks!
0
http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN -p tcp --dport 1863 --source 192.168.0.2 -j ACCEPT

for msn for example


Note the -p tcp --dport 1863

or -p udp --dport 1232

I.e. set first if udp or tcp then the port number
0
mikestevenAuthor Commented:
shakoush2001,

Thanks a million, does this mean I have to open one port at a time for every applciation and each user?

or there's a easier way to do this?
0
http:// thevpn.guruCommented:
you can open multiple ports for example

iptables --append FORWARD --in-interface $LAN_IN -p tcp --dport 22:80 --source 192.168.0.2 -j ACCEPT

would allow all ports between 22->80 including 22 and 80

or


iptables --append FORWARD --in-interface $LAN_IN -p tcp --dports 21,25,80 --source 192.168.0.2 -j ACCEPT

for ports 21, 25 or 80 exclusively
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.