iptables blocking users by ip address - fedoracore 5


Currently we have a fc5 with squid running fine, how come when we change the "REJECT" to "ACCEPT" the users can conenct to the internet with their software. What does the line below do?

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

Add to the FORWARD CHAIN on the LAN interface a RULE that ACCEPTs all rules that come in on it.

I.e. all traffic that needs to be forwarded is accepted

I.e. all traffic that is not coming in to the linux box itself or generated by it is accepted by default.

I.e the users can connect to the INternet because their traffic is being forwarded to the Internet

mikestevenAuthor Commented:

How can we set limits to which user can be forwarded? allowing all is not a good idea.

http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN --source -j ACCEPT
iptables --append FORWARD --in-interface $LAN_IN --source -j ACCEPT

finally drop all the rest
iptables --append FORWARD --in-interface $LAN_IN  -j DROP
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

mikestevenAuthor Commented:

This is great!!!, lastly can I somehow only accept request from certain ports? like applciations that connects to IM, skype, work related ports and block the games port, Hope you get what I'm trying to achieve.

http:// thevpn.guruCommented:
iptables --append FORWARD --in-interface $LAN_IN -p tcp --dport 1863 --source -j ACCEPT

for msn for example

Note the -p tcp --dport 1863

or -p udp --dport 1232

I.e. set first if udp or tcp then the port number
mikestevenAuthor Commented:

Thanks a million, does this mean I have to open one port at a time for every applciation and each user?

or there's a easier way to do this?
http:// thevpn.guruCommented:
you can open multiple ports for example

iptables --append FORWARD --in-interface $LAN_IN -p tcp --dport 22:80 --source -j ACCEPT

would allow all ports between 22->80 including 22 and 80


iptables --append FORWARD --in-interface $LAN_IN -p tcp --dports 21,25,80 --source -j ACCEPT

for ports 21, 25 or 80 exclusively

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.