frodon:
After some experimentation with my Ubuntu platforms with manually applied, temporary code, I've implemented your firewall solution on one of the systems for permanent use.
The initial run did not allow the home LAN to be visible (this was anticipated). Some trial and error coding brought up the two Ubuntu platforms and a final modification of your code from our first post yielded the remaining Windows XP test system:
Originally Posted by
frodon
iptables -A TRUSTED -p tcp -s 192.168.2.* -j ACCEPT should do it i think.
the firewal type sudo /etc/init.d/firewall stop
My changes were:
Code:
# Allow ip
iptables -A TRUSTED -p tcp -s 192.168.2.0/24 -j ACCEPT
iptables -A TRUSTED -p tcp -s 192.168.2.1 -m mac --mac-source [applicable mac address inserted] -j ACCEPT
The results were the same as when I applied the sample codes:
Code:
# Accept packets from trusted IP addresses
>>>>iptables -A INPUT -s 192.168.0.4 -j ACCEPT # change the IP address as appropriate
....
Code:
# Accept packets from trusted IP addresses
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # using standard slash notation
>>>>iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # using a subnet mask
....
Finally, as well as filtering against a single IP address, we can also match against the MAC address for the given device . . . .Here we use the mac module to check the mac address of the source of the packet in addition to it's IP address:
Code:
# Accept packets from trusted IP addresses
>>>>iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT
....( ref: Slider, PC Perspectives)
BTW this coding that you supplied did work once your firewall solution was in place:
Originally Posted by
frodon
It's the main problem with dynamic adresses and home network. I think the rule i gave you doesn't work but i'm sure allowing a range of IP is possible with iptables.
You can try that, i never tested this though :
Code:
iptables -A TRUSTED -i eth0 -m iprange --src-range 192.168.2.100-192.168.2.255 -j ACCEPT
....
(It picked up the Ubuntu platforms and omitted the Win XP system.
It probably needed to be tweaked to include the full range from 192.168.2.1 thru 255.
The two lines that I mentioned above plus "iprange" addition seemed responsible for making all the test platforms visible
including the network and workgroup.)
I modified it and added it to the "Allow ip" section of "firewall.bash" as:
Code:
iptables -A TRUSTED -i eth0 -m iprange --src-range 192.168.2.1-192.168.2.255 -j ACCEPT
Rebooting the system revealed the new firewall to be active and functional. NmapFE also showed the new firewall to be functioning as to scans.
I should be able to distribute the firewall solution to the other Ubuntu platforms in my network as needed.
Thanks again for the excellent programming and tutorial --- and most of all, your considerate and timely responses,
-met-
Catz3705
Bookmarks