Hi Asim, think about subnetting, allocating diffrent subnets to individual bridges (if needed) and managing traffic via iptables or a proxy. cheers, Mat -----Original Message----- Sent: Donnerstag 09.03.06 17:25:14 Subject: [Shorewall-users] How to make groups of hosts to assign a...>Hi, > >It would be gr8 if anybody can help me out on this issue: > >I want to give access the internet to a certain group of ppl on my LAN. for >example my office LAN range is from192.168.4.10 to 192.168.4.50. What i want >it is to make two groups of users. One is ranging from 192.168.4.20 to >192.168.4.25 and other is ranging from 192.168.4.35 to 192.168.4.40. and >allow only these ppl to have access to internet. > >You help is greatly apriciated. > >-- Asim Ahmed. >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
wooow.... Dear all - sorry, I mixed up my lists :-( Wrong answer on wrong list. But generally spoken I was right. Asim, create subnets and allocate your clients accordingly. Then use a proxy granting access for these subnets and configure shorewall to allow connection from your subnet to the proxy and allow the proxy to be connected to the web. For sure also SNAT / NAT would be possible but I would advise the proxy solution. cheers, Mat -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Mathias Diehl Gesendet: Donnerstag, 9. März 2006 16:03 An: Shorewall-users@lists.sourceforge.net; asimak77@gmail.com Betreff: Re:[Shorewall-users] How to make groups of hosts to assign . Hi Asim, think about subnetting, allocating diffrent subnets to individual bridges (if needed) and managing traffic via iptables or a proxy. cheers, Mat -----Original Message----- Sent: Donnerstag 09.03.06 17:25:14 Subject: [Shorewall-users] How to make groups of hosts to assign a...>Hi, > >It would be gr8 if anybody can help me out on this issue: > >I want to give access the internet to a certain group of ppl on my LAN. for >example my office LAN range is from192.168.4.10 to 192.168.4.50. What iwant>it is to make two groups of users. One is ranging from 192.168.4.20 to >192.168.4.25 and other is ranging from 192.168.4.35 to 192.168.4.40. and >allow only these ppl to have access to internet. > >You help is greatly apriciated. > >-- Asim Ahmed. >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd_________________________________________ ______ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 09 March 2006 08:58, Mathias Diehl wrote:> wooow.... > > Dear all - sorry, I mixed up my lists :-( > > Wrong answer on wrong list. > > But generally spoken I was right. > > Asim, create subnets and allocate your clients accordingly. Then use a > proxy granting access for these subnets and configure shorewall to allow > connection from your subnet to the proxy and allow the proxy to be > connected to the web. > > For sure also SNAT / NAT would be possible but I would advise the proxy > solution.I strongly advise against using SNAT as an access control mechanism. If you want to limit net access then: a) Set your loc->net policy to REJECT. b) Add ACCEPT rules that allow those ranges of IP addresses to be allowed to access the net: ACCEPT loc:192.168.4.10-192.168.4.50 net ACCEPT loc:192.168.4.35-192.168.4.40 net -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thursday 09 March 2006 21:05, Asim Ahmed Khan wrote:> Hi Tom, > > I am getting this error when i setup the rules you mentioned for limiting > internet access to a certain group of people on LAN > > > iptables v1.2.7a: Couldn''t load match > `iprange'':/lib/iptables/libipt_iprange.so: cannot open shared object file: > No such file or directory > > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A loc2net -m iprange --src-range > 192.168.4.1-192.168.4.10 -j ACCEPT" Failed > > I suspect that my kernel is not capable of handling iptables range-matching > requests ... any idea how can i fix it ?Three alternatives: a) Break the ranges down into the equivalent subnetworks and use multiple rules per range (the "shorewall iprange") command will help you. b) Use more intelligent ranges (Network administrators should always think in terms of powers of two rather than in terms of how many fingers they have. If you use ranges like 16-31 rather than 20-29 then you can express your ranges using CIDR notation. See http://www.shorewall.net/shorewall_setup_guide.htm#Addressing for details. c) Patch your kernel and iptables using patch-o-matic-ng from the Netfilter site to include iprange support. Also, please don''t reply to me personally but rather keep threads on the list. That way all list subscribers (and those searching the archives) can potentially benefit from your question. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Thanx for your and all other ppl''s help. Finally i manage to divide my LAN users in groups to utilize two broadband connections through shorewall. I found patching the iptables & kernel hard to achieve cuz i tried patch-o-matic but it didn''t work for me and made my kernel unstable ... previously i was using Redhat ES3 for firewall that comes with iptables v1.28xxx. Now i installed Fedora Core 4 and it comes with iptables 1.3.xxxthat has iprange matching functionality builtin so it is working fine. Regards, - Asim. On 3/10/06, Tom Eastep <teastep@shorewall.net> wrote:> > On Thursday 09 March 2006 21:05, Asim Ahmed Khan wrote: > > Hi Tom, > > > > I am getting this error when i setup the rules you mentioned for > limiting > > internet access to a certain group of people on LAN > > > > > > iptables v1.2.7a: Couldn''t load match > > `iprange'':/lib/iptables/libipt_iprange.so: cannot open shared object > file: > > No such file or directory > > > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Command "/sbin/iptables -A loc2net -m iprange --src-range > > 192.168.4.1-192.168.4.10 -j ACCEPT" Failed > > > > I suspect that my kernel is not capable of handling iptables > range-matching > > requests ... any idea how can i fix it ? > > Three alternatives: > > a) Break the ranges down into the equivalent subnetworks and use multiple > rules per range (the "shorewall iprange") command will help you. > > b) Use more intelligent ranges (Network administrators should always think > in > terms of powers of two rather than in terms of how many fingers they have. > If > you use ranges like 16-31 rather than 20-29 then you can express your > ranges > using CIDR notation. See > http://www.shorewall.net/shorewall_setup_guide.htm#Addressing for details. > > c) Patch your kernel and iptables using patch-o-matic-ng from the > Netfilter > site to include iprange support. > > Also, please don''t reply to me personally but rather keep threads on the > list. > That way all list subscribers (and those searching the archives) can > potentially benefit from your question. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >-- Sr. System Engineer Folio3 Pvt. Ltd URL : http://www.clickmarks.com email : asimak77@gmail.com MSN : asimak77@hotmail.com