LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-20-2005, 09:51 PM   #1
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
Is this good iptables practice ?


I'm writing a wireless authenticator that uses iptables to redirect to a login page, then execute more iptables commands to allow the user access once their credentials are verified.

I want the users to be able to use Internet services and connect to each other over SSH and FTP but not things like NetBIOS, SMTP or Rendezvous. I've devised a way to capture this in essentially a single rule.

Is this good practice? Will this rule do what I think it will?

iptables -t nat -I PREROUTING -p tcp -i wlan0 -s 10.0.0.11 --match mac \
--mac-source 00:30:65:21:a9:ff -m multiport ! --dport 23,24,25,113,137,138,139,427,548 \
-m iprange ! --dst-range 10.0.0.2-10.0.1.255-j ACCEPT


Insert into the prerouting chain of the nat table : if a TCP packet comes in on wlan0 from IP 10.0.0.11 and MAC address 00:30:65:21:a9:ff and is not trying to access special ports on the WLAN accept it (otherwise let it get DNATed further down the chain).

This rule is inserted at position index of the PREROUTING chain (rather than filter table's FORWARD chain) because that's where an unauthenticated client will be DNATed to the authentication system.

Can I do this more simply with 'match multiport' and substitute `-o wlan0` for the iprange? I still want to make sure that clients can access those services if they're on the Internet (for example SMTP might be nice ) because some people do use AFP over TCP/IP.

I have identical rules for TCP and for UDP because multiport requires a tcp/udp specification.
 
Old 05-21-2005, 10:32 PM   #2
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
To avoid making a bunch of rules I decided it would be better to simply add the WLAN services block to the FOWARD chain and make a much much simpler allow statement.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables good practice - 2 questions ddaas Linux - Security 1 05-31-2005 08:09 AM
IPTABLES Firewall (Good enough????) wardialer Linux - Security 10 03-01-2005 10:29 AM
installing and managing new apps. good practice! bikov_k Linux - Newbie 4 10-02-2004 05:23 PM
A good practice for compiling? Micro420 Mandriva 29 08-09-2004 04:36 AM
Good Old IPTABLES Question jrmann1999 Linux - Networking 2 06-20-2001 10:59 AM


All times are GMT -5. The time now is 03:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration