Blocking selected clients with iptables

Stephen Smith scsmith1451 at totacc.com
Fri Dec 30 20:24:01 MST 2005


Jason K Larson wrote:

> Stephen Smith wrote:
>
>> I'm running 192.168.1.x network at home where I have several 
>> computers. One is a Win98 box.  I would like to block it from access 
>> to the internet (no security), yet maintain its ablility to talk to 
>> other computers and print servers on my internal network.  I'm using 
>> a separate RH9 box for my firewall with a 10.0.0.2 address talking to 
>> my DSL Modem at 10.0.0.1, both hard coded.  I've been using gShield 
>> to configure my fw which has been rock solid for more that three 
>> years, however, it does not have any features that I recognize to 
>> block clients, only external hosts. So I've been trying to add rules 
>> to iptables directly to effect blockage.
>>
>> I've tried -
>>
>> iptables -A INPUT -s 192.168.1.x -d 10.0.0.1 -j DROP
>> iptables -A INPUT -s 192.168.1.x -p ALL -d 10.0.0.1 -j DROP
>> iptables -A INPUT -s 192.168.1.x -p ALL --dport 80 -j DROP
>> iptables -A INPUT -s 192.168.1.x.-p ALL --multiport -dport 
>> 80,8080,8008,443 -j DROP
>>
>> and many variations of the above.  Yet none of them stop MSExplorer 
>> from accessing the net.  Not being a network guy but an Oracle guy, I 
>> need a bit of help to solve this problem.  Could someone out there 
>> help out a floundering DBA?
>>
>
> Try such rules in POSTROUTING of the nat table, or in the OUTPUT or 
> FORWARD chains of the filter table.  Obviously these need to preceed 
> any other rules that would move then to another chain or table as is 
> likely happening with your INPUT chain.
>
> I'd personally recommend POSTROUTING of the nat table.
>
> -- 
> Jason K Larson
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>
Thanks that worked.



More information about the PLUG mailing list