--On Friday, December 27, 2002 01:18:41 PM +0100 OenusTech=20
<oenustech@oenus.com> wrote:
> hi there!
>
> could you help me with some questions I have?
>
> First, I need to deny acccess to some services to our LAN machines.
> However, 2 machines need access to those services. Here=B4s what I put:
>
> DROP loc:!192.168.1.35,192.168.1.74 net tcp service1,service2
>
> However, it only works for the 1st IP.
Yes -- I really shouldn''t accept a list there since it can never
work=20
except for the first list entry.
What you can do:
ACCEPT loc:192.168.1.35 net tcp service1,service2
ACCEPT loc:192.168.1.74 net tcp service1,service2
DROP loc net tcp service1,service2
>
> Second, one of the machines in our LAN need access to some services
> provided by a second machine on the internet. This second machine has a
> proprietary media server that uses random ports to send and receive data
> (in words of the designers of the service, to avoid exploits...). Anyway,
> we need all packets coming from all ports on the second machine (that sits
> on the internet) to be redirected to our first machine on our LAN. could
> you help me with the rule that would do that?
>
Hmmm - this is becoming a FAQ. Answered a similar question just last week.
DNAT net:<media server ip> loc:<first machine ip> tcp
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net