For the LAN traffic, I think these rules should work:
Code:
-A FORWARD -s 10.1.10.0/24 -d 10.1.10.0/24 -j ACCEPT
-A FORWARD -s 10.1.10.13/32 -j ACCEPT
This should allow unlimited traffic around the LAN, but only the single IP of 10.1.10.13 would be able to transmit anything outside the LAN. Of course you would still need the RELATED,ESTABLISHED rule ahead of them, to accept responses to packets that 10.1.10.13 sent out. If you wanted to restrict that IP to only a single port or a range of ports, you could expand its rule to do so, and if you wanted to allow a different specific IP to do the same, you could add a rule for it that differed only in the final octet of the source address. Obviously, you would change these IPs to those actually involved, and the network would have to be using static IPs rather than DHCP assignment for the ACCEPT rules to remain consistent.
Just keep in mind that the rules are visited in strict top-to-bottom sequence, so once a packet satisfies a rule that takes it to either ACCEPT or DROP/REJECT no additional rules will see it. A jump to LOG always returns after logging the data, though, and any user-defined chain that does not have an unconditional jump as its last rule will return to the chain that called it. In other words, each rule is like a subroutine in a program.
Quad Shot of Ubuntu
Posting Permissions
Adv Reply
Bookmarks