Zingaro2002
May 3rd, 2007, 10:04 AM
I followed this article:
Setting up a simple Debian gateway
http://www.debian-administration.org/articles/23
on an ubuntu server 6.10 linux box and it worked perfectly!
(many thanks to the author!!!)
Now I only need to put some limitations (but I don't know iptables rules...) in 00-firewall script.
This script is loaded at startup and it is:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Now I want that :
- ONLY some MAC ADDRESSES (I decide which ones) must be able to use this gateway to surf the net
AND
- machines behind the gateway can access only some ports (say ONLY 80) and estabilish connections only to/from some google subdomains (say ####.google.com and maps.google.it)
Well, my users should use Google earth (that makes connections to various ####.google.com domains) and http://maps.google.it
These must be THE ONLY CONNECTIONS ENABLED to and from Internet.
No other internet connection should be available through the gateway (no ssh, no smtp, no pop, no emule, no ftp, and so on...).
Can you help me to implement the right iptables rules (without using any proxy)?
How should I modify that script?
Thanks in advance for any suggestion.
Setting up a simple Debian gateway
http://www.debian-administration.org/articles/23
on an ubuntu server 6.10 linux box and it worked perfectly!
(many thanks to the author!!!)
Now I only need to put some limitations (but I don't know iptables rules...) in 00-firewall script.
This script is loaded at startup and it is:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Now I want that :
- ONLY some MAC ADDRESSES (I decide which ones) must be able to use this gateway to surf the net
AND
- machines behind the gateway can access only some ports (say ONLY 80) and estabilish connections only to/from some google subdomains (say ####.google.com and maps.google.it)
Well, my users should use Google earth (that makes connections to various ####.google.com domains) and http://maps.google.it
These must be THE ONLY CONNECTIONS ENABLED to and from Internet.
No other internet connection should be available through the gateway (no ssh, no smtp, no pop, no emule, no ftp, and so on...).
Can you help me to implement the right iptables rules (without using any proxy)?
How should I modify that script?
Thanks in advance for any suggestion.