On Thu, 2002-04-18 at 07:01, Antony Stone wrote: > My thought is to have a rule at the top of the FORWARDing chain which > specifically blocks packets to/from (doesn't really matter which) the IP > address whcih has just logged off - then the logon process removes that rule > to allow packets to flow ?
I did a slight variation of your idea. I begin with two DROP rules for all IPs from the local LAN that would be routed to the external interface. Then as each user logs on the system -I's two ACCEPT rules so the station IP gets clear. It works wonders -- downloads stop dead on their tracks when the user logs off! Many many thanks. Joo roolz. I did it that way because I want to have a small /etc/sysconfig/iptables to start with, and I want it to be independent of which stations there can be in the internal LAN. Also, I chose to block BOTH incoming and outgoing packets, just to be on the safe side. And in case you're wondering about this port 27719 business, it's a little daemon that forces any web access to return a "Location:" to the logon page if the station is not logged in. Neat huh? iptables-save "before": --------------------------------------------------------------- # Generated by iptables-save v1.2.4 on Thu Apr 18 13:41:54 2002 *nat :PREROUTING ACCEPT [932:51218] :POSTROUTING ACCEPT [280:22185] :OUTPUT ACCEPT [276:21849] -A PREROUTING -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 27719 COMMIT # Completed on Thu Apr 18 13:41:54 2002 # Generated by iptables-save v1.2.4 on Thu Apr 18 13:41:54 2002 *mangle :PREROUTING ACCEPT [20786:12943457] :OUTPUT ACCEPT [3425:336674] COMMIT # Completed on Thu Apr 18 13:41:54 2002 # Generated by iptables-save v1.2.4 on Thu Apr 18 13:41:54 2002 *filter :INPUT ACCEPT [3515:358880] :FORWARD ACCEPT [39:3276] :OUTPUT ACCEPT [3430:337227] -A FORWARD -d 192.168.2.0/255.255.255.0 -i eth0 -j DROP -A FORWARD -s 192.168.2.0/255.255.255.0 -o eth0 -j DROP COMMIT # Completed on Thu Apr 18 13:41:54 2002 --------------------------------------------------------------- iptables-save after 4 users logged in: --------------------------------------------------------------- # Generated by iptables-save v1.2.4 on Thu Apr 18 13:43:39 2002 *nat :PREROUTING ACCEPT [932:51218] :POSTROUTING ACCEPT [311:24789] :OUTPUT ACCEPT [307:24453] -A PREROUTING -s 192.168.2.2 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 192.168.2.100 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 192.168.2.10 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 192.168.2.3 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 27719 -A POSTROUTING -s 192.168.2.3 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.2.10 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.2.100 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.2.2 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Apr 18 13:43:39 2002 # Generated by iptables-save v1.2.4 on Thu Apr 18 13:43:39 2002 *mangle :PREROUTING ACCEPT [21237:12970989] :OUTPUT ACCEPT [3498:343312] COMMIT # Completed on Thu Apr 18 13:43:39 2002 # Generated by iptables-save v1.2.4 on Thu Apr 18 13:43:39 2002 *filter :INPUT ACCEPT [3589:363725] :FORWARD ACCEPT [39:3276] :OUTPUT ACCEPT [3503:343721] -A FORWARD -s 192.168.2.2 -o eth0 -j ACCEPT -A FORWARD -d 192.168.2.2 -i eth0 -j ACCEPT -A FORWARD -s 192.168.2.100 -o eth0 -j ACCEPT -A FORWARD -d 192.168.2.100 -i eth0 -j ACCEPT -A FORWARD -s 192.168.2.10 -o eth0 -j ACCEPT -A FORWARD -d 192.168.2.10 -i eth0 -j ACCEPT -A FORWARD -s 192.168.2.3 -o eth0 -j ACCEPT -A FORWARD -d 192.168.2.3 -i eth0 -j ACCEPT -A FORWARD -d 192.168.2.0/255.255.255.0 -i eth0 -j DROP -A FORWARD -s 192.168.2.0/255.255.255.0 -o eth0 -j DROP COMMIT # Completed on Thu Apr 18 13:43:39 2002 --------------------------------------------------------------- -- Juan Carlos Castro y Castro | "Standing up to an evil system is [EMAIL PROTECTED] | exhilarating." -Richard Stallman Rio de Janeiro - Brazil | http://www.vialink.com.br/~jcastro
