prevent a workstation access the internet using iptables !! 1

[hisham]

I used IP Masquerading to allow internet access to all computer in the lan, then I tried to prevent a workstation to access the internet :
iptables -A INPUT -p tcp -s 192.168.0.3 -j DROP
checking: iptables -L
target port opt source destination
DROP tcp -- station3.mydomain.com anywhere

but this station still access the internet !!

Thanks in advance for any help ..

 

[thedaver]

You need to do that at a PREROUTING stage I believe, INPUT is late in the chains

http://www.surfinbox.com/dir.php

 

[hisham]

Thank you thedaver, but how to do a PREROUTING stage ??

 

[thedaver]

I'm sorry, I was thinking about something else.

You are right in your approach

http://www.justlinux.com/nhf/Security/IPtables_Basics.html

The problem is that you have a rule before the one you are adding that has already allowed the IP to go out the firewall.

Remember that IPTables acts on the first rule that matches the situation. Be sure to place your blocking rule at the correct place in your IPTables chain. Probably higher than where you have it now.

http://www.surfinbox.com/dir.php

 

[marsd]

The rule is best set in the FORWARD chain.
INPUT won't work. Iptables isn't going to look at this
traffic as you want. INPUT refers to traffic destined
for the local destination, not traffic that gets
forwarded, which is done after the masquerading.
INPUT -d 0/0 rules are not that useful except for
multiple interface boxes. All your rule does is
preclude client 192.x.x.x from accessing tcp based
services on the masquerading router.

BTW: This will not stop a knowledgeable programmer
from retrieving webpages if they have access to an
external udp http-gateway.

 

[hisham]

You are right marsd, it is working fine now when i set the rule in the FORWARD chain