filtering ruleset help sought

Barry Fawthrop barry at ttienterprises.org
Mon Aug 15 23:02:49 CEST 2005


Thanks John

Yes I want this machine and every other machine on the LAN to be denied 
access to the Internet except to the sites or IPs listed
in the allowed-hosts file

So could you help what addionional rules would I need ?



John A. Sullivan III wrote:

>Hmm . . .looks a little strange.  Do you want such access for this
>specific device or for other devices on the internal network that use
>this device as a gateway? The INPUT and OUTPUT chains will only handle
>traffic to and from this device.
>
>I would suggest you use connection tracking and you may find it easier
>to use DROP policies. Thus:
>
>$IPT -t filter -P INPUT DROP
>$IPT -t filter -P OUTPUT DROP
>$IPT -t filter -P FORWARD DROP
>$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>Then you can allow the outbound access including the protcol:
>
>while read s1 s2
>     do
>      $IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j ACCEPT
>      $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
>     done < /allowed-hosts
>  
>
also what is the -p 6 ???

>If you want to allow other devices to access these sites through this
>device, you will need rules in the FORWARD chain and probably an SNAT
>rule in the nat table POSTROUTING chain.  Good luck - John
>  
>
Thanks
Barry
-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005


More information about the netfilter mailing list