HPE Community
Operating System - Linux
1827376 Members
4389 Online
109963 Solutions
New Discussion

Re: IPTABLES - deny hosts access to the internet

 
SOLVED
Go to solution
Piotr Kirklewski
Super Advisor

‎02-13-2010 04:34 PM

‎02-13-2010 04:34 PM

IPTABLES - deny hosts access to the internet

Hi there
The sytuation is as follows:


GATEWAY
^
|
|
ROUTER1
^
|
|
<----HOST_A 11:11:11:11:11:11
^
|
|
<----HOOST_B 22:22:22:22:22:22


The iptables is included in my routers firmware.
I need to allow to the internet only those hosts listed in IP tables. So if i include HOSTA_A MAC and HOSTS_B MAC address only those addresses are allowed to the internet.

iptables -P INPUT DROP
iptables -I INPUT -m mac ! --mac-source 11:11:11:11:11:11 -j ACCEPT
iptables -I INPUT -m mac ! --mac-source 22:22:22:22:22:22 -j ACCEPT


Now if I try to access the Internet from another device iptables cuts the access only to the ROUTER_1 but not to the Internet. I can still ping websites and the gateway.

Please help

Peter
Jesus is the King
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎02-13-2010 07:53 PM

‎02-13-2010 07:53 PM

Re: IPTABLES - deny hosts access to the internet

Shalom Peter,

Firewall on the gateway.

iptables -A INPUT -j DROP

That will deny them access to the Internet.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Piotr Kirklewski
Super Advisor

‎02-14-2010 07:29 AM

‎02-14-2010 07:29 AM

Re: IPTABLES - deny hosts access to the internet

That would be simple - but the gateway is just a DLINK router :(
Jesus is the King
0 Kudos
Reply
J. Maestre
Honored Contributor

‎02-15-2010 04:17 AM

‎02-15-2010 04:17 AM

Re: IPTABLES - deny hosts access to the internet

Since you want to modify the router functionality and not the access to that machine you'd have to work with the FORWARD chain, not the INPUT chain.
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎02-15-2010 11:32 PM

‎02-15-2010 11:32 PM

Solution

Re: IPTABLES - deny hosts access to the internet

J. Maestre is correct: the FORWARD table does what you want.

The "policy" (iptables -P) decides what to do with a packet if _none_ of the rules in the table match it. The rules are processed in order, and the first rule that matches the packet and provides a decision (e.g. -j ACCEPT or -j DROP) will determine the fate of the packet.

So, I'd prefer to avoid "double negatives" and instead would write the rules to directly spell out what I want:

iptables -P FORWARD DROP
iptables -I FORWARD -i -j ACCEPT
iptables -I FORWARD -m mac --mac-source 11:11:11:11:11:11 -j ACCEPT
iptables -I FORWARD -m mac --mac-source 22:22:22:22:22:22 -j ACCEPT

Replace with the name of the appropriate network interface, e.g. eth1.

The above ruleset allows in anything that comes in from the gateway, which may not be the safest choice.

If you don't need the ability to access your internal network from the outside, you might want to use state matching:

iptables -P FORWARD DROP
iptables -I FORWARD -i -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m mac --mac-source 11:11:11:11:11:11 -j ACCEPT
iptables -I FORWARD -m mac --mac-source 22:22:22:22:22:22 -j ACCEPT

With this, anything from your two chosen hosts may go out, but only responses to connections already established from the inside may come in. This will keep much of the "scum of the Internet" (= malware programs and script kiddies seeking vulnerable hosts) out of your internal network, making it a safer place.

If you later need to accept incoming traffic by specific protocols, you can do it by adding specific ACCEPT rules for those protocols and/or destination hosts.

MK
MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.