filtering ruleset help sought
barry at ttienterprises.org
Mon Aug 15 23:02:49 CEST 2005
Yes I want this machine and every other machine on the LAN to be denied
access to the Internet except to the sites or IPs listed
in the allowed-hosts file
So could you help what addionional rules would I need ?
John A. Sullivan III wrote:
>Hmm . . .looks a little strange. Do you want such access for this
>specific device or for other devices on the internal network that use
>this device as a gateway? The INPUT and OUTPUT chains will only handle
>traffic to and from this device.
>I would suggest you use connection tracking and you may find it easier
>to use DROP policies. Thus:
>$IPT -t filter -P INPUT DROP
>$IPT -t filter -P OUTPUT DROP
>$IPT -t filter -P FORWARD DROP
>$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>Then you can allow the outbound access including the protcol:
>while read s1 s2
> $IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> done < /allowed-hosts
also what is the -p 6 ???
>If you want to allow other devices to access these sites through this
>device, you will need rules in the FORWARD chain and probably an SNAT
>rule in the nat table POSTROUTING chain. Good luck - John
-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005
More information about the netfilter