how do i set this rule?

[elliotwilliams77]

hi guys

i have one question

suppose the task is : setup a squid proxy server but only allow access for clients in the example.com domain and deny for all others.

if i am faced with a situation like that how do i go about putting the rule in iptables? i can easily put
-A RH-Firewall-1-INPUT -p tcp --dport 3128 -j REJECT

but how do i find out what the ip address or range should be for clients in the example.com domain? what command should i type and what should i be putting in the iptables besides the line on top? suppose the ip address are lan

pls help guys....

[scathefire]

If its the LAN, then you should all ready know what the IP address range. You will be better off giving iptables a CIDR though:

Code:

192.168.0.0/24

That is a 255.255.255.0 (aka Class C) range.

For iptables your CIDR would go into the -s or --source whichever option you prefer to use.

[elliotwilliams77]

If its the LAN, then you should all ready know what the IP address range. You will be better off giving iptables a CIDR though:

Code:

192.168.0.0/24

That is a 255.255.255.0 (aka Class C) range.

For iptables your CIDR would go into the -s or --source whichever option you prefer to use.

thanks for the reply... suppose i am not given the ip address range. how do i find out?
whats the command i should type?

[scathefire]

if you are physically connected to the LAN, and I assume you are running on a linux box, run this command:

Code:

ifconfig

you'll have to do this as root, or maybe have to do:

Code:

sudo /sbin/ifconfig

you should have results like:

Code:

eth1      Link encap:Ethernet  HWaddr 00:1D:09:AC:CB:F8
          inet addr:192.168.0.241  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6370 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2689680 (2.5 Mb)  TX bytes:434611 (424.4 Kb)
          Interrupt:17

Take note of your Mask. For me its a Class C so it would be /24. You can google yours to find out your equivalent CIDR if you don't know about subnetting.

[elliotwilliams77]

if you are physically connected to the LAN, and I assume you are running on a linux box, run this command:

Code:

ifconfig

you'll have to do this as root, or maybe have to do:

Code:

sudo /sbin/ifconfig

you should have results like:

Code:

eth1      Link encap:Ethernet  HWaddr 00:1D:09:AC:CB:F8
          inet addr:192.168.0.241  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6370 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2689680 (2.5 Mb)  TX bytes:434611 (424.4 Kb)
          Interrupt:17

Take note of your Mask. For me its a Class C so it would be /24. You can google yours to find out your equivalent CIDR if you don't know about subnetting.

hi.

ok i have found out that example.com are in the 172.24.0.0/255.255.0.0

so how do i set the above rule in iptables to deny/allow access for eg : port 25?

my RHCE exam is 12hours away... i think this will be a requirement ... please help!!!

[scathefire]

This would drop all traffic coming at the firewall destined for port 25 on that network range.

Code:

iptables -A INPUT -p tcp -s 172.24.0.0/16 --dport 25 -j DROP

You wanna allow traffic change the jumper (the -j) to ACCEPT.

It really depends on your default chain policy, that would dictate the situation.

e.g.
INPUT DROP
OUTPUT DROP
FORWARD DROP