/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Guy Harper <[EMAIL PROTECTED]> wrote:
>
> I have a IP masq machine in place between my public and private
> network, which is used primarily for access to our mail server, but is
> also the only point of access to the public internet.
I see.
> I would like to implement per machine access to the public internet,
> but give all machines access to our public network.
The immediate method that springs to mind is to differentiate by IP
addresses. That is, your public network probably has a very limited
range of IP addresses that can be found on it. You should create rules
that allow traffic to those particular IP addresses without restraint,
then add further rules to restrict the traffic to the external Internet.
> Is it possible to enable use of IP masq routing on a per machine basis
> for a given port number?
What you should more likely do, is to set up input firewall rules that
disallow traffic from your private net, that attempts to reach networks
you do not wish them to reach. Then the forwarding rules will remain
simple, masquerading any traffic that manages to get past the input
rules.
> eg. Allow all machines access on port 25, but only selected machines
> on port 80.
ipchains -A input -i $PRIVATE_IF -d 0/0 25 -j ACCEPT
ipchains -A input -i $PRIVATE_IF -s 10.1.2.3 -d 0/0 80 -j ACCEPT
ipchains -A input -i $PRIVATE_IF -d 0/0 80 -j REJECT
This ruleset allows any host to contact any other host on port 25, and
it allows host 10.1.2.3 to contact any host on port 80, but other hosts
are prevented from contacting port 80.
I hope you can see how to generalize and customize this further.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
http://www.dallas.net/~fox/ || -- Life Lessons
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
