Hi Bob,
As many said before, due to the lack of info, will result in only partly helpful replies.....
1) Decent firewall's have all policies firmly to "DROP" (instead of the default "ACCEPT") 2) Assuming eth0 is your lan-device, (connected to 192.168.1.255/24) 3) Assuming eth1 is connected to your internet modem 4) before (!) allowing other traffic outside insert iptables -t filter -A FORWARD -i eth0 -o eth1 --source 192.168.1.17 -j DROP iptables -t filter -A FORWARD -I eth1 -o eth1 --destination 192.168.1.17 -j DROP 5) next allow other traffic to go outside
Input- and output-chains are only for traffic originating from the box, or having the final destination on the box. Traffic passing through is handled by the FORWARD-rule.
As I indicated in my top-line, this is very crude, iptables allows making self-defined sub-chains, and many other nice tricks, like timebased rules and so on....
-----Original Message----- From: users-bounces@lists.fedoraproject.org [mailto:users-bounces@lists.fedoraproject.org] On Behalf Of Mike Wright Sent: maandag 8 februari 2016 23:25 To: Community support for Fedora users Subject: Re: iptables -
On 02/08/2016 02:10 PM, Bob Goodwin wrote:
Can someone give me an example [for my router] of the iptables code needed to prevent 192.168.1.17 from connecting to the internet while keeping normal LAN access?
Hi Bob,
Decided lack of info to go on but this will accomplish that.
If you just want the internet to be "non-existent" WRT 192.168.1.17 the easiest way is to DROP all traffic between them.
Let eth0 be the internet connected network card.
iptables -t filter -A INPUT -i eth0 -d 192.168.1.17 -j DROP iptables -t filter -A OUTPUT -o eth0 -s 192.168.1.17 -j DROP
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
On 02/09/16 04:06, J.Witvliet@mindef.nl wrote:
Hi Bob,
As many said before, due to the lack of info, will result in only partly helpful replies.....
- Decent firewall's have all policies firmly to "DROP" (instead of the default "ACCEPT")
- Assuming eth0 is your lan-device, (connected to 192.168.1.255/24)
- Assuming eth1 is connected to your internet modem
- before (!) allowing other traffic outside insert
iptables -t filter -A FORWARD -i eth0 -o eth1 --source 192.168.1.17 -j DROP iptables -t filter -A FORWARD -I eth1 -o eth1 --destination 192.168.1.17 -j DROP 5) next allow other traffic to go outside
Input- and output-chains are only for traffic originating from the box, or having the final destination on the box. Traffic passing through is handled by the FORWARD-rule.
As I indicated in my top-line, this is very crude, iptables allows making self-defined sub-chains, and many other nice tricks, like timebased rules and so on....
.
J.W.
Thanks for the explanation and example. The responses to my query help me to begin to understand the openwrt provided firewall. It also contains some examples and it appears to have a place where I can add some similar code.
My immediate concern is ensuring that there is no connection between my NFS server and the WAN-internet. It runs with F-21 and has firewalld and selinux both active and it seems blocking access in the router firewall, as I usually do, is desirable.
In addition I would like to be able to restrict users WAN access at times when we begin to run low on allowable usage for the month. During those times certain users [LAN addresses or mac's] would be blocked between 05:00 and 24:00.
I have a router running Tomato that is configured to do these things and has been working well for a long while but I am interested in setting up an alternative trying Openwrt, It's not critical but an interesting project for and I might even learn something ...
Bob
-
Bob Goodwin -
J.Witvliet@mindef.nl