Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have configured a iptables firewall, it was runnning fine . All the private ip pool of 192.168.0.0 was given access to internet through static natting.
but now i want let only a selected number of ips get access. please advice on the sysntax. I am also pasting the script for your referral. pls suggest changes to that if you have any. But main issue is to limit the number of users, say want to let only 10 users in the default subnet only to access internet. what is the syntax that i shud use instead of 192.168.0.0/24.
ptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#icoming packets from lan
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.255 -j ACCEPT
# WAN LINES
iptables -A INPUT -p ALL -d [wan ip addrss] -m state --state ESTABLISHED,RELATED -j ACCEPT
# FORWARD RULE
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#SPOOFING
ipatables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s [WAN IP] -j ACCEPT
The easiest thing to do is to use the x.x.x.x./y syntax, but to lock it down further. For example, 192.168.0.0/28 is defined as the subnet 192.168.0.0-192.168.0.15 (there are 16 addresses in this subnet, but 0.0 is the network address and 0.15 is the broadcast address, leaving 14 usable addresses).
Because it's a binary system, it has to work in powers of 2 - here's a more detailed list:
Of course, you don't have to stick with starting at the beginning of the 192.168.0 range - for example you could put your users somewhere in the middle of the range:
192.168.0.128/28: 192.168.0.128 - 192.168.0.143
If you're gonna do this though, be careful - the boundaries you start on have to be a multiple of the number of IP addresses in the range; so 192.168.0.128/28 is valid because 128 is a multiple of 16, but 192.168.0.136/28 is not valid because 128 is not a multiple of 16. If you used 192.168.0.136/29 however, it would be valid because 136 is a multiple of 8. You get the idea I hope!
I have tried what you have suggested.
I wanted to actually give access to all ips after 32 so i did -----
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.32/28 -j ACCEPT (in the incoming packets from lan section, i replaced the first line)
that means i have 16 ips in one pool and first usable ip in the above case should be 192.168.0.33,
But it seems to be not working. I tried with ips of 192.168.0.17, 192.168.0.5 all are working fine and accessing internet.
I should mention that i had flushed the iptables before doing this by using the command iptables -F
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.