Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yes, I was using 192.168.2.4 and checking access from that IP only.
You say about ethernet card - is this on the server or on 192.168.2.4 and do I find this via ifconfig?
Your small network has several computers, I assume they are connected to switch and as well as the server. Can you tell us, what ethernet card on server is used for it - eth1?
I suppose that eth0 is for internet router.
So I now have IM and HTTP working in the unrestricted rules.
By removing the lines relating to HTTP, I have an IM only version (my restricted one). The downside, as you will no doubt have spotted, that one of the ports I need to open for MSN Messenger IM via Pidgin is 443, so therefore HTTPS access *IS* available.
Any ideas on how I can restrict this to addresses, or use the traffic shaping ability?
By removing the lines relating to HTTP, I have an IM only version (my restricted one). The downside, as you will no doubt have spotted, that one of the ports I need to open for MSN Messenger IM via Pidgin is 443, so therefore HTTPS access *IS* available.
Does MSN not have a particular selection of IP addresses to which it connects? Maybe by popping open Wireshark and having a look at the destination IP(s) of the MSN traffic, you can tighten up the IM rules to allow port 443 traffic ONLY to IP(s) associated with MSN Messenger.
One slight glitch has emerged. The iptables as now stated stop the server (192.168.2.5) from accessing the internet! I tried specifying it in the iptables chain but that did not work. I can do a daft workaround by flushing the iptables each day, running any updates and then reinstalling iptables, but that seems a bit cumbersome. Is there a better way?
Also, is there any preferred set up of static IP addresses on home networks? Should the server have next address along to the router (i.e. become 192.68.2.2), for example?
These are my current (unrestricted - the restricted version does not allow HTTP access in FORWARD rules) iptables:
Quote:
# Generated by iptables-save v1.4.4 on Sun Jan 17 23:06:47 2010
*mangle
:PREROUTING ACCEPT [1647:254606]
:INPUT ACCEPT [1647:254606]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1597:178694]
:POSTROUTING ACCEPT [1595:178330]
COMMIT
# Completed on Sun Jan 17 23:06:47 2010
# Generated by iptables-save v1.4.4 on Sun Jan 17 23:06:47 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2:364]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Jan 17 23:06:47 2010
# Generated by iptables-save v1.4.4 on Sun Jan 17 23:06:47 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.5/32 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.16/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.16/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.17/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.17/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.18/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.18/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.4/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.4/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.9/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.9/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.14/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.14/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.16/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.16/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.17/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.17/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.18/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.18/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.9/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.9/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Sun Jan 17 23:06:47 2010
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.