Banning outbound connection to host list except for some few hosts

Banning outbound connection to host list except for some few hosts

Post by Ming Ching Ti » Tue, 03 Dec 2002 12:16:49



I am using iptables and nat.

My requirement is this:-

eg.

BANNED_LIST="www.hotmail.com www.yahoo.com"
EXCEPTION_LIST="192.168.0.1 192.168.0.2 192.169.0.3"

In english,

   1. Everybody can make outbound connection to everywhere
      except those hosts on the banned_list.

   2. For connection to the banned_list, only the machines
      in the exception_list can make connection to.

My attempt to configure the above is this :-

I am particularly stucked with having the need to
specify multiple unrelated -d and -s, which currently
the iptables does not support.

------------------attempts with failed---------------------------

for j in ${BANNED_LIST}
do
   iptables -t nat -A POSTROUTING -o eth1 -d ! ${j} -j MASQUERADE
   for i in ${EXCEPTION_LIST}
   do
      iptables -t nat -A POSTROUTING -o eth1 -d ${j} -s ${i} -j MASQUERADE
   done
done

------------------------------------------------------

Appreciate any help.
Ming-Ching

 
 
 

Banning outbound connection to host list except for some few hosts

Post by Ming Ching Ti » Tue, 03 Dec 2002 16:55:05


I change the sh script slightly, this will probably work (???) :-

# specify the assertion list first
for j in ${BANNED_LIST}
do
  for i in ${EXCEPTION_LIST}
  do
      iptables -t nat -A POSTROUTING -o eth1 -d ${j} -s ${i} -j MASQUERADE
  done
done

# specify the negation list later
for j in ${BANNED_LIST}
do
    iptables -t nat -A POSTROUTING -o eth1 -d ! ${j} -j MASQUERADE
done

Anyone want to comment ?

Regards,
Ming-Ching


Quote:

> for j in ${BANNED_LIST}
> do
>    iptables -t nat -A POSTROUTING -o eth1 -d ! ${j} -j MASQUERADE
>    for i in ${EXCEPTION_LIST}
>    do
>       iptables -t nat -A POSTROUTING -o eth1 -d ${j} -s ${i} -j MASQUERADE
>    done
> done

> ------------------------------------------------------

> Appreciate any help.
> Ming-Ching