Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-20-2005, 08:51 PM   #1
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
Is this good iptables practice ?

I'm writing a wireless authenticator that uses iptables to redirect to a login page, then execute more iptables commands to allow the user access once their credentials are verified.

I want the users to be able to use Internet services and connect to each other over SSH and FTP but not things like NetBIOS, SMTP or Rendezvous. I've devised a way to capture this in essentially a single rule.

Is this good practice? Will this rule do what I think it will?

iptables -t nat -I PREROUTING -p tcp -i wlan0 -s --match mac \
--mac-source 00:30:65:21:a9:ff -m multiport ! --dport 23,24,25,113,137,138,139,427,548 \
-m iprange ! --dst-range ACCEPT

Insert into the prerouting chain of the nat table : if a TCP packet comes in on wlan0 from IP and MAC address 00:30:65:21:a9:ff and is not trying to access special ports on the WLAN accept it (otherwise let it get DNATed further down the chain).

This rule is inserted at position index of the PREROUTING chain (rather than filter table's FORWARD chain) because that's where an unauthenticated client will be DNATed to the authentication system.

Can I do this more simply with 'match multiport' and substitute `-o wlan0` for the iprange? I still want to make sure that clients can access those services if they're on the Internet (for example SMTP might be nice ) because some people do use AFP over TCP/IP.

I have identical rules for TCP and for UDP because multiport requires a tcp/udp specification.
Old 05-21-2005, 09:32 PM   #2
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
To avoid making a bunch of rules I decided it would be better to simply add the WLAN services block to the FOWARD chain and make a much much simpler allow statement.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables good practice - 2 questions ddaas Linux - Security 1 05-31-2005 07:09 AM
IPTABLES Firewall (Good enough????) wardialer Linux - Security 10 03-01-2005 09:29 AM
installing and managing new apps. good practice! bikov_k Linux - Newbie 4 10-02-2004 04:23 PM
A good practice for compiling? Micro420 Mandriva 29 08-09-2004 03:36 AM
Good Old IPTABLES Question jrmann1999 Linux - Networking 2 06-20-2001 09:59 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:20 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration