[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SLUG] IP Masq



On Mon, Jun 04, 2001 at 04:11:37PM +1000, Peter McCarthy wrote:

> But this is a bit painful having to enter an allow by IP, I would rather just
> disallow the single address.
> 
> Anyone got an idea for this ?

Rules are processed in order, so if you insert a rule to block the
single address before the rule to accept everything on your internal
net, then you don't need to list all the hosts individually.  Also,
input rules are processed before forwarding rules, so there are two
ways to block the host.  For example:

    # internal network is 192.168.1.0/24 on eth0
    # 192.168.1.16 isn't allowed to access anything external
    #
    # input rules
    #
    # accept any local traffic
    /sbin/ipfwadm -Ia accept -S 192.168.1.0/24 -D 192.168.1.0/24 -W eth0
    # drop anything else from 192.168.1.16
    /sbin/ipfwadm -Ia deny -S 192.168.1.16 -W eth0
    # but accept packets from any other hosts on the internal net
    /sbin/ipfwadm -Ia accept -S 192.168.1.0/24 -W eth0
    #
    # forwarding rules
    #
    # deny forwarding from 192.168.1.16
    /sbin/ipfwadm -Fa deny -S 192.168.1.16
    # forward and masquerade anything else from the local net
    /sbin/ipfwadm -Fa accept -m -S 192.168.1.0/24

Apologies if I've stuffed up the syntax; I don't have a 2.0 series
kernel here.


Cheers,

John
-- 
whois !JC774-AU@nospam.whois.aunic.net

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug