On Wed, 2008-08-06 at 22:01 +0300, Geoffrey S. Mendelson wrote: > I want to install a wireless router that is unprotected (it's for a special > occasion). > > During the time it is up, I want to allow users on it to access my Internet > connection, but not the computer running the connection (it's the usual > pptp tunnel). > > If I need to I can add an ethernet interface just for the that router. > > I'm using a 2.4 kernel so I need an iptables rule. > > Any ideas? > > Thanks, Geoff.
Hello Geoff, I'm no iptables guru, but I may be able to help you. My wireless router is connected to a separated NIC routed directory to my firewall VM. (disabled on host; bridged on VM) The NIC is disabled most of the time - unless I require wireless access. (... and even then it has an inactivity-based kill-switch) The network is divided to a number of blue networks (private networks), a red network (wireless) and, of-course, the Internet. The firewall uses NAT to route packets between the different blue networks, and between the red/blue networks and the Internet. My NAT iptables rules look something like that: (pseudo code) # Don't route packets between red and blue networks. # Must come first (!!!) # AFAIK PREROUTE can be used instead. /sbin/iptables -t nat -A POSTROUTING -s $RED_NETWORK -d $BLUE_NETWORK -j DROP /sbin/iptables -t nat -A POSTROUTING -s $BLUE_NETWORK -d $RED_NETWORK -j DROP # NAT: Red network. /sbin/iptables -t nat -A POSTROUTING -s $RED_NETWORK -d 0/0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -s 0/0 -d $RED_NETWORK -j MASQUERADE # NAT: Blue network. /sbin/iptables -t nat -A POSTROUTING -s $BLUE_NETWORK -d 0/0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -s 0/0 -d $BLUE_NETWORK -j MASQUERADE # Now use iptables -A INPUT to block traffic coming from the Internet/Red network to the firewall... /sbin/iptables -A INPUT -s 0/0 -d 0/0 -j DROP Hope it helps, - Gilboa ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
