On Mon, Apr 08, 2002 at 12:08:20PM +0500, Imran F Bhatti wrote: > Hi all > i am using netfilter for ip masqurading > can any one tell me that how can i restrict one ip that it only use > masquradding for the ftp data transfer but not for any kind of service like > http msn type > > here are my rules for the masqurading >
If that IP is behind your firewall then you can set up restrictions in the FORWARD chain, something like this: /sbin/iptables -A FORWARD -p tcp --dport 21 -s that-ip -m state --state NEW -j ACCEPT /sbin/iptables -A FORWARD -s that-ip -m state --state NEW -j DROP The second rule might not be necessary depending your subsequent rules and the default policy. Of course, you'll have a rule in the beginning of the FORWARD chain which allows the ESTABLISHED,RELATED packets: /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Ramin Ramin > /sbin/iptables -t nat -A POSTROUTING -p all -s 172.16.88.0/24 -d 0.0.0.0/0 > -j MASQUERAD > /sbin/insmod > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o > /sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_ftp.o > > waiting for early reply > > > > > Best Regards, > Imran Fazal Bhatti > System Administrator > J-tech (Pvt) Ltd >
