-   Linux - Security (
-   -   Is this good iptables practice ? (

michaelsanford 05-20-2005 08:51 PM

Is this good iptables practice ?
I'm writing a wireless authenticator that uses iptables to redirect to a login page, then execute more iptables commands to allow the user access once their credentials are verified.

I want the users to be able to use Internet services and connect to each other over SSH and FTP but not things like NetBIOS, SMTP or Rendezvous. I've devised a way to capture this in essentially a single rule.

Is this good practice? Will this rule do what I think it will?

iptables -t nat -I PREROUTING -p tcp -i wlan0 -s --match mac \
--mac-source 00:30:65:21:a9:ff -m multiport ! --dport 23,24,25,113,137,138,139,427,548 \
-m iprange ! --dst-range ACCEPT

Insert into the prerouting chain of the nat table : if a TCP packet comes in on wlan0 from IP and MAC address 00:30:65:21:a9:ff and is not trying to access special ports on the WLAN accept it (otherwise let it get DNATed further down the chain).

This rule is inserted at position index of the PREROUTING chain (rather than filter table's FORWARD chain) because that's where an unauthenticated client will be DNATed to the authentication system.

Can I do this more simply with 'match multiport' and substitute `-o wlan0` for the iprange? I still want to make sure that clients can access those services if they're on the Internet (for example SMTP might be nice ;) ) because some people do use AFP over TCP/IP.

I have identical rules for TCP and for UDP because multiport requires a tcp/udp specification.

michaelsanford 05-21-2005 09:32 PM

To avoid making a bunch of rules I decided it would be better to simply add the WLAN services block to the FOWARD chain and make a much much simpler allow statement.

All times are GMT -5. The time now is 04:54 AM.