Gonn Star wrote: > I am new in linux world,basically I'm using red hat 9 > kernel 2.4.20-8. I need to build a trusted gateway. my > linux box will be the gateway for several machine PCs > to go to the desired server. there will be several > subnets under the linux box, I've already assigned > static IPs for the PCs . Now my problem is I only need > 2 PCs from each subnets to connect to certain servers, > and those 2 PCs can only have transaction(open) to the > specified servers, for others it will > drop(firewalled). for other PCs, they can't log on to > the outside world. should I use only iptable rules or > with the help of squid(ACL) as well ? please add up > the commands as well. Thanks.
This sounds like a fairly basic firewall with out Squid in the mix. In short you are probably looking at a firewall like this (NOTE: This script will be incomplete for just about any scenario, but will give you the idea.): iptables -t filter -P FORWARD DROP iptables -t filter -F FORWARD iptables -t filter -A FORWARD -s 192.168.0.1 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.0.2 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.1.1 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.1.2 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.2.1 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.2.2 -j ACCEPT iptables -t filter -A FORWARD -j REJECT --reject-with icmp-net-unreachable This quick and dirty (and incomplete) script will set the default policy (-P) of the FORWARD chain to DROP all traffic that is to be forwarded and not handled by any other rule. Once the default policy has been set it flushes (-F) the FORWARD chain to make sure that there were not any old rules lingering arround that could mess things up. The next six rules are in place to explicietly allow just the two machines from three subnets (in this example) to pass traffic through the FORWARD chain on out to a different network. Any traffic that is not explicietly handled by the six rules to allow traffic to be forwarded will meat the last rule which will reject the traffic with a message saying that there is no route to the destination thus making the computers think that they are icolated. As someone else pointed out if you are new to the Linux community you might be better off served by finding someone in your area with more experience at hardening a box and a firewall to help you in this endevor. Or if you are not new to unix or firewalling, just Linux and you need to acclimate your self with the Linux syntax and methodology you will probably be ok. Either way it would probably be worth your time to skim some of the HOW-TOs that are out there, namely the NetFilter HOW-TO as you are asking questions that are answered in it. Grant. . . . _______________________________________________ LARTC mailing list [email protected] http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
