>
> Could anyone enlighten me on this matter? I had set-up my linux box
> to masquarade to share internet connection, it works properly, but when
> i try to block services, those does not take effect. ex. i want to block
> web access for certain user (we are using static ip's 192.168.x.x) i
> had ipchains -A input -i eth0 -s 192.168.168.50/32 80 -p tcp -j DENY (i
> set the default policy to accept as of now but will change it later on)
> i also tried ipchains -A input -i ppp0 -s 192.168.168.50/32 80 -p tcp -j
> DENY. it also doesn't work. What should i do to limit the access of
> users? how to make it work? if i do not use masquarade, that rule works
> fine.
>
# allow 192.168.0.2 to access unrestrictedly
/sbin/ipchains -A forward -p 192.168.0.2/32 -j MASQ
# deny napster, mirc and other weird ports
/sbin/ipchains -A forward -p tcp -s 0/0 -d 0/0 6000:7174 -j DENY
# allow 192.168.0.1 to access without the above banned services
/sbin/ipchains -A forward -s 192.168.0.1/32 -j MASQ
a better way for doing this as advocated in the list is to allow only
certain services and not just ban services.
# allow 192.168.0.2 without restriction
/sbin/ipchains -A forward -s 192.168.0.2/32 -j MASQ
# allow 192.168.0.1 for using web, proxy and checking imap email lang
/sbin/ipchains -A forward -p tcp -s 192.168.0.1/32 -d 0/0 3128 -j MASQ
/sbin/ipchains -A forward -p tcp -s 192.168.0.1/32 -d 0/0 80 -j MASQ
/sbin/ipchains -A forward -p tcp -s 192.168.0.1/32 -d 0/0 143 -j MASQ
good luck.
--------------------------------------
William Emmanuel S. Yu
Ateneo Cervini-Eliazo Networks (ACENT)
email : [EMAIL PROTECTED]
web : http://cersa.admu.edu.ph/
phone : 63(2)4266001-5925/5904
The reason that every major university maintains a department of
mathematics is that it's cheaper than institutionalizing all those people.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
