Hi,

I have configured a iptables firewall, it was runnning fine . All the private ip pool of 192.168.0.0 was given access to internet through static natting.

but now i want let only a selected number of ips get access. please advice on the sysntax. I am also pasting the script for your referral. pls suggest changes to that if you have any. But main issue is to limit the number of users, say want to let only 10 users in the default subnet only to access internet. what is the syntax that i shud use instead of 192.168.0.0/24.

ptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#icoming packets from lan
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.255 -j ACCEPT

# WAN LINES
iptables -A INPUT -p ALL -d [wan ip addrss] -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP RULE

iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j ACCEPT

#OTHER RULES WAN
iptables -A INPUT -p ALL -i eth0 -s 0/0 --destination-port 25 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -s 0/0 --destination-port 110 -j ACCEPT

#ICMP RULE
iptables -A INPUT -p ICMP -i eth0 -s 0/0 icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 icmp-type 11 -j ACCEPT

# FORWARD RULE
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#SPOOFING
ipatables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s [WAN IP] -j ACCEPT

#NAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source [WAN IP]

The easiest thing to do is to use the x.x.x.x./y syntax, but to lock it down further. For example, 192.168.0.0/28 is defined as the subnet 192.168.0.0-192.168.0.15 (there are 16 addresses in this subnet, but 0.0 is the network address and 0.15 is the broadcast address, leaving 14 usable addresses).

Because it's a binary system, it has to work in powers of 2 - here's a more detailed list:

192.168.0.0/25: 192.168.0.0 - 192.168.0.127 (126 usable IPs)
192.168.0.0/26: 192.168.0.0 - 192.168.0.63 (62 usable IPs)
192.168.0.0/27: 192.168.0.0 - 192.168.0.31 (30 usable IPs)
192.168.0.0/28: 192.168.0.0 - 192.168.0.15 (14 usable IPs)
192.168.0.0/29: 192.168.0.0 - 192.168.0.7 (6 usable IPs)
192.168.0.0/30: 192.168.0.0 - 192.168.0.3 (2 usable IPs)
192.168.0.0/31: 192.168.0.0 - 192.168.0.1 (no usable IP addresses)

Of course, you don't have to stick with starting at the beginning of the 192.168.0 range - for example you could put your users somewhere in the middle of the range:

192.168.0.128/28: 192.168.0.128 - 192.168.0.143

If you're gonna do this though, be careful - the boundaries you start on have to be a multiple of the number of IP addresses in the range; so 192.168.0.128/28 is valid because 128 is a multiple of 16, but 192.168.0.136/28 is not valid because 128 is not a multiple of 16. If you used 192.168.0.136/29 however, it would be valid because 136 is a multiple of 8. You get the idea I hope!

Hi,

I have tried what you have suggested.
I wanted to actually give access to all ips after 32 so i did -----

iptables -A INPUT -p ALL -i eth1 -s 192.168.0.32/28 -j ACCEPT (in the incoming packets from lan section, i replaced the first line)

that means i have 16 ips in one pool and first usable ip in the above case should be 192.168.0.33,

But it seems to be not working. I tried with ips of 192.168.0.17, 192.168.0.5 all are working fine and accessing internet.
I should mention that i had flushed the iptables before doing this by using the command iptables -F

pls help urgent!!

Can you do

and post the contents of the file so I can see the complete ruleset as it is at the moment.