LARTC - Aug 2004 - Firewalling certain IP ranges

Hi,
I have a linux router which is connected to a local network and the internet
(eth0 and eth1). My
local network (eth0) consists of two IP ranges, which are assigned by a DHCP
server on my router -
10.0.0.2-10.0.0.19 for trusted clients (MAC addresses are known) and
10.0.0.20-10.0.0.254 for
untrusted clients (MAC addresses are not known). These two ranges share the same
physical network,
which is partly wireless, hence the trusted/untrusted hosts setup.

Some trusted clients are on the wireless network, most are on wired. All
untrusted clients are on
the wireless network.

How can I provide some services, but no internet access to untrusted hosts, yet
still allow trusted
clients on wireless to access the internet (clearly I cant simply firewall off
the access point)?

Thanks in advance,
Patrick
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Patrick Coleman wrote:
> How can I provide some services, but no internet access to untrusted hosts,
yet still allow trusted
> clients on wireless to access the internet (clearly I cant simply firewall
off the access point)?
> 
> Thanks in advance,
> Patrick
Why not?  That''s exactly what I do at work.

The work setup is a linux box with 2 NICs; eth0 internal NW and eth1
external.  DNAT.  The firewall script reads /etc/firewall/ACL which
contains the IPs of the machines allowed internet access.  More
specifically, ACL contains:
192.168.1.4;tcp;1024:65535;-m mport
--dports;20:23,25,80,110,113,119,123,143,443,873
192.168.1.4;udp;123;--dport;123
192.168.1.4;tcp;1024:65535;--dport;1024:65535
192.168.1.4;udp;1024:65535;--dport;1024:65535

Note that I chose semicolon as a delimiter because it was the first
thing I thought of that would work.  I have as many of those 4-line
entries as there are allowed computers.  Most have a much more limited
first line --dport list than I show here because they don''t need all
those services.

Then the applicable part of the iptables script:
# Access control:
if [ -f /etc/firewall/ACL ]; then
  while read FWD ; do
    IP=`echo "$FWD" | cut -d '';'' -f 1`
    PROTO=`echo "$FWD" | cut -d '';'' -f 2`
    SPORT=`echo "$FWD" | cut -d '';'' -f 3`
    PLURAL=`echo "$FWD" | cut -d '';'' -f 4` # either
"--dport" or "-m
mport --dports"
    DPORT=`echo "$FWD" | cut -d '';'' -f 5 | cut -d
''#'' -f 1`
    iptables -A FORWARD -i $IFI -o $IFE -s $IP -p $PROTO --sport $SPORT
$PLURAL $DPORT -j ACCEPT
  done </etc/firewall/ACL
fi
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

The DPORT line allows "inline" comments at the end of any line.  $IFE
and $IFI should be self explanatory.  Everything on the FORWARD chain
that is not specifically allowed is denied (DROPped).

HTH
gypsy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/