mikesteven
asked on
iptables blocking users by ip address - fedoracore 5
Hi,
Currently we have a fc5 with squid running fine, how come when we change the "REJECT" to "ACCEPT" the users can conenct to the internet with their software. What does the line below do?
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
Thanks
Currently we have a fc5 with squid running fine, how come when we change the "REJECT" to "ACCEPT" the users can conenct to the internet with their software. What does the line below do?
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
Thanks
ASKER
shakoush2001,
How can we set limits to which user can be forwarded? allowing all is not a good idea.
Thanks.
How can we set limits to which user can be forwarded? allowing all is not a good idea.
Thanks.
iptables --append FORWARD --in-interface $LAN_IN --source 192.168.0.1 -j ACCEPT
iptables --append FORWARD --in-interface $LAN_IN --source 192.168.0.2 -j ACCEPT
finally drop all the rest
iptables --append FORWARD --in-interface $LAN_IN -j DROP
iptables --append FORWARD --in-interface $LAN_IN --source 192.168.0.2 -j ACCEPT
finally drop all the rest
iptables --append FORWARD --in-interface $LAN_IN -j DROP
ASKER
shakoush2001,
This is great!!!, lastly can I somehow only accept request from certain ports? like applciations that connects to IM, skype, work related ports and block the games port, Hope you get what I'm trying to achieve.
Thanks!
This is great!!!, lastly can I somehow only accept request from certain ports? like applciations that connects to IM, skype, work related ports and block the games port, Hope you get what I'm trying to achieve.
Thanks!
iptables --append FORWARD --in-interface $LAN_IN -p tcp --dport 1863 --source 192.168.0.2 -j ACCEPT
for msn for example
Note the -p tcp --dport 1863
or -p udp --dport 1232
I.e. set first if udp or tcp then the port number
for msn for example
Note the -p tcp --dport 1863
or -p udp --dport 1232
I.e. set first if udp or tcp then the port number
ASKER
shakoush2001,
Thanks a million, does this mean I have to open one port at a time for every applciation and each user?
or there's a easier way to do this?
Thanks a million, does this mean I have to open one port at a time for every applciation and each user?
or there's a easier way to do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Add to the FORWARD CHAIN on the LAN interface a RULE that ACCEPTs all rules that come in on it.
I.e. all traffic that needs to be forwarded is accepted
I.e. all traffic that is not coming in to the linux box itself or generated by it is accepted by default.
I.e the users can connect to the INternet because their traffic is being forwarded to the Internet
http://iptables-tutorial.frozentux.net/iptables-tutorial.html