I'm writing a wireless authenticator that uses iptables to redirect to a login page, then execute more iptables commands to allow the user access once their credentials are verified.
I want the users to be able to use Internet services and connect to each other over SSH and FTP but not
things like NetBIOS, SMTP or Rendezvous. I've devised a way to capture this in essentially a single rule.
Is this good practice? Will this rule do what I think it will?
iptables -t nat -I PREROUTING -p tcp -i wlan0 -s 10.0.0.11 --match mac \
--mac-source 00:30:65:21:a9:ff -m multiport ! --dport 23,24,25,113,137,138,139,427,548 \
-m iprange ! --dst-range 10.0.0.2-10.0.1.255-j ACCEPT
Insert into the prerouting chain of the nat table : if a TCP packet comes in on wlan0 from IP 10.0.0.11 and MAC address 00:30:65:21:a9:ff and is not trying to access special ports on the WLAN accept it (otherwise let it get DNATed further down the chain).
This rule is inserted at position index of the PREROUTING chain (rather than filter table's FORWARD chain) because that's where an unauthenticated client will be DNATed to the authentication system.
Can I do this more simply with 'match multiport' and substitute `-o wlan0` for the iprange? I still want to make sure that clients can access those services if they're on the Internet (for example SMTP might be nice
) because some people do use AFP over TCP/IP.
I have identical rules for TCP and for UDP because multiport requires a tcp/udp specification.