Re: how can I write this Ipchains rules ?? ?

From: Marc Greene (eru@subdimension.com)
Date: 01/09/02


From: eru@subdimension.com (Marc Greene)
Date: 8 Jan 2002 19:41:50 -0600

On 8 Jan 2002 17:17:43 -0800, ww <ww@challenger.com.cn> wrote:
>hi,
>all
>happy new year!
>
>I want to let my linux box do ip MASQ when the "-d addr" is neither
>192.168.100.0/24 nor 10.1.101.0/24 . how will I write these Ipchains
>rules ?

All the examples I've seen suggest having a default policy of DENY
and then allowing whatever hosts you want to specifically allow. My
rules are like:

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ

$EXTIF is the modem (ppp0) for me, and it produces:

[~]> /sbin/ipchains -L forward
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ 192.168.0.0/24 anywhere n/a
[~]>

I woud imagine you're looking for the opposite, maybe something like:

/sbin/ipchains -P forward MASQ
/sbin/ipchains -A forward -i $EXTIF -s 192.168.100.0/24 -j DENY
/sbin/ipchains -A forward -i $EXTIF -s 10.1.101.0/24 -j DENY

HTH

Marc



Relevant Pages

  • Re: hiding contacts from directory search (LDAP)
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... policy and denying that right on the policy. ... the majority that I want to deny makes up about 80-90%. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Loopback Processing and Deny Apply in ACL
    ... The actual group policy is being applied to the user logon, ... If you Apply the policy to a user then Deny ... >> for the terminal server (which is in it's own OU, ... >> setting the deny apply gpo setting in the acl to the user account of this ...
    (microsoft.public.win2000.group_policy)
  • Re: Linux IPChains Question
    ... >I suggest adding an explicit DENY and log rule at the end. ... With ipchains, there is no need for that if you set the policy to ... The filter table is loaded by default, ...
    (comp.security.firewalls)
  • Re: Linux IPChains Question
    ... At the moment I haven't set NAT up, ... ipchains -P forward DENY ... >>I suggest adding an explicit DENY and log rule at the end. ... With iptables, if you set the forwarding policy to drop, you ...
    (comp.security.firewalls)
  • Re: Applying GPO only to certain computers within an OU...........
    ... Don't forget that deny permissions take precedence over allows. ... I think if you remove the authenticated users grou0p from the acl, ... add in the security group "Yes Software" or whatever (the computers that are ... supposed to get the policy) and give them Read & Apply GPO permissions. ...
    (microsoft.public.win2000.group_policy)