Just want to confirm if this is right

[neilg_cebu]

Hi,

We have private network. All connected into a HUB. We also have access to internet thru our Linux machine but I want to limit clients to access the internet.

what I did in my IP Table is to list all clients that I want to have access.

Like this:

IPTABLES -t nat -A POSTROUTING -p ip -s <client ip> -j SNAT --to-source <public ip>

I'd list all clients one by one like that. As I tested it, clients that were not listed is unable to access the internet which is the right one and intended.

Now, I just would like to verify if that is the right way to do that or is there a better way.

I also noticed that clients who have managed to connect to internet, like using messenger (yahoo or msn) and I want to disconnect them, like removing their entry in IP Table, they are not disconnected automatically.

They still can use it even if I already have restarted the firewall and flush the nat table. But, if they exited the messenger thats the time they can not log-in back again. But before they exit, they still can go thru.

What could I be missing there?

Thanks in Advance,
Neil

[Ricky]

Hmm..

The way you use is better, other way is to simply do masquerading and then deny the Ip addresses which you don't want, that way you can deny the ipaddress which want to block and all other are allowed.

About people able to connect even after they are not in the rules..
I think you there might be some mistake in flushing or restarting the rules. You can also add

Code: [Select]

iptables -P INPUT DROP in the end. It will close all connection other than allowed one. But it will also close ports etc.. may be you want to add the allowed ports before that. We use that to make firewall. ie. allow only specific and drop everything else.

[ICFire]

You using a linux firewall with netfilter?

If so you might want to check out this application.

http://www.fwbuilder.com

A mulitplatform gui for building your rule set.