D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] a question of routing



Hi Steve,

It would be better to block at your router but i am 
presuming the router is without a firewall.

iptables -A INPUT -p tcp --dport 80 -s ! 
10.0.0.0/255.0.0.0 -j DROP

iptables -A INPUT -p tcp --dport 80 -s !(MY BOX) -j DROP

That should do the job.

The second rule is going to be a lot more of a hassle 
if you are allocated a dynamic ip by your dial up ISP. 
In fact i can't think of a way around that unless you 
set up https or authetification.

Luke

Quoting Steve Marvell <steve@xxxxxxxxxxxxxx>:

> Imagine, if you will a netwrokign situation
> thus:
> 
> mybox (111.111.111.111)
> 
> dialup
> 
> demon internet
> 
> (the internet)
> 
> broadband provider
> 
> router [external] (222.222.222.222)
> router [internal] (10.0.0.1)
> 
> lan
> 
> server (10.0.0.10)
> 
> 
> In order that mybox can http to server, router
> port forwards 80 to
> server. Since it's only mybox that is supposed
> to access this port
> from the internet, and all things on the lan
> should be able to too, I
> have iptables on server.
> 
> Given the port forwarding situation, I'm not
> sure what I'm doing with
> iptables. Can someone give me the iptables
> options which say:
> 
> allow lan to access port 80 as a direct
> connection
> allow mybox to access port 80 port forwarded
> from router
> deny all other port 80 access port forwarded
> from router
> 
> Cheers
> 
> Steve
> 
> --
> The Mailing List for the Devon & Cornwall LUG
> Mail majordomo@xxxxxxxxxxxx with "unsubscribe
> list" in the
> message body to unsubscribe.
> 

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly