Re: iptables rule to allow NAT but not local access
On Wed, 2008-08-06 at 22:01 +0300, Geoffrey S. Mendelson wrote: > I want to install a wireless router that is unprotected (it's for a special > occasion). > > During the time it is up, I want to allow users on it to access my Internet > connection, but not the computer running the connection (it's the usual > pptp tunnel). > > If I need to I can add an ethernet interface just for the that router. > > I'm using a 2.4 kernel so I need an iptables rule. > > Any ideas? > > Thanks, Geoff. Hello Geoff, I'm no iptables guru, but I may be able to help you. My wireless router is connected to a separated NIC routed directory to my firewall VM. (disabled on host; bridged on VM) The NIC is disabled most of the time - unless I require wireless access. (... and even then it has an inactivity-based kill-switch) The network is divided to a number of blue networks (private networks), a red network (wireless) and, of-course, the Internet. The firewall uses NAT to route packets between the different blue networks, and between the red/blue networks and the Internet. My NAT iptables rules look something like that: (pseudo code) # Don't route packets between red and blue networks. # Must come first (!!!) # AFAIK PREROUTE can be used instead. /sbin/iptables -t nat -A POSTROUTING -s $RED_NETWORK -d $BLUE_NETWORK -j DROP /sbin/iptables -t nat -A POSTROUTING -s $BLUE_NETWORK -d $RED_NETWORK -j DROP # NAT: Red network. /sbin/iptables -t nat -A POSTROUTING -s $RED_NETWORK -d 0/0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -s 0/0 -d $RED_NETWORK -j MASQUERADE # NAT: Blue network. /sbin/iptables -t nat -A POSTROUTING -s $BLUE_NETWORK -d 0/0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -s 0/0 -d $BLUE_NETWORK -j MASQUERADE # Now use iptables -A INPUT to block traffic coming from the Internet/Red network to the firewall... /sbin/iptables -A INPUT -s 0/0 -d 0/0 -j DROP Hope it helps, - Gilboa = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: iptables rule to allow NAT but not local access
Geoffrey S. Mendelson wrote: I want to install a wireless router that is unprotected (it's for a special occasion). During the time it is up, I want to allow users on it to access my Internet connection, but not the computer running the connection (it's the usual pptp tunnel). If I need to I can add an ethernet interface just for the that router. I'm using a 2.4 kernel so I need an iptables rule. Any ideas? Thanks, Geoff. I don't get what the problem is. The "INPUT" table is for access to the machine itself, the "FORWARD" chain is for packets merely forwarded through the machine. Block everything on "INPUT" and block all of the machine's IP addresses on "FORWARD", and you're more or less done. Unless I missed something here. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: iptables rule to allow NAT but not local access
Geoffrey S. Mendelson wrote: On Wed, Aug 06, 2008 at 11:35:04PM +0300, Moish wrote: If you any old box ( or vmware server ), download and install IPCOP and in 5 minutes you'll have it. Thanks, but how will that affect my already existing carefully crafted rules? Geoff. If you care to read the forum ( probably not..) one of the common uses of the system is for ad hoc configuration. It all comes to what is defined as you "external" connection. I assumed you wanted to create an isolated environment giving WWW access to it's clients without interfering with your current setup. For that matter, define an ip on your curent network as the "External" connection, RED in IPCOP terms, a different set of ip's for the "new" lan, GREEN in IPCOP terms and last a wireless network, BLUE in IPCOP terms. Otherwise, iptables-save, iptables -D, iptables-restore. Am I missing something? PS DO read the short documentation in ipcop.org Moish = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: iptables rule to allow NAT but not local access
On Wed, Aug 06, 2008 at 11:35:04PM +0300, Moish wrote: > If you any old box ( or vmware server ), download and install IPCOP and > in 5 minutes you'll have it. Thanks, but how will that affect my already existing carefully crafted rules? Geoff. -- Geoffrey S. Mendelson, Jerusalem, Israel [EMAIL PROTECTED] N3OWJ/4X1GM = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: iptables rule to allow NAT but not local access
If you any old box ( or vmware server ), download and install IPCOP and in 5 minutes you'll have it. Moish = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]