IPTABLES question, multiple rules
This is a discussion on IPTABLES question, multiple rules within the Linux Networking forums, part of the Linux Forums category; Hi, I have a question. I've set up a PPTP server with PoPToP for a VPN server. This server ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-21-2005
|
|||
|
|||
IPTABLES question, multiple rules
Hi, I have a question. I've set up a PPTP server with PoPToP for a VPN
server. This server will be shared among several customers, each one a different company with many connections. So i'll have: CLIENTS 1, 2, 3, 4 belong to company A clients 5, 6, 7 and 8 belong to company B. I'll assign, say, 10.10.1.1 to client 1, 10.10.1.2 to client 2, and so on, basically 10.10.1.0/24 to company A, and 10.10.2.0/24 to company B. All clients will connect to the same VPN server, but this server will automatically assign the right IP address, based on the username. So, in order to keep packets within each customer's network, I do something like: iptables -P FORWARD DROP iptables -A FORWARD -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT iptables -A FORWARD -s 10.10.2.0/24 -d 10.10.2.0/24 -j ACCEPT iptables -A FORWARD -s 10.10.3.0/24 -d 10.10.3.0/24 -j ACCEPT .... So for every company I add, I need a new rule. Is this the only way to go, or is there an easier way to do this? hjf -- Sí esta atascado, fuércelo. Sí se rompe, es que necesitaba ser reemplazado. http://www.hjf.com.ar/ hjf -- Sí esta atascado, fuércelo. Sí se rompe, es que necesitaba ser reemplazado. http://www.hjf.com.ar/ 
|
|
04-21-2005
|
|||
|
|||
|
Re: IPTABLES question, multiple rules
Hernán Freschi wrote: > Hi, I have a question. I've set up a PPTP server with PoPToP for a VPN > server. This server will be shared among several customers, each one a > different company with many connections. So i'll have: > CLIENTS 1, 2, 3, 4 belong to company A > clients 5, 6, 7 and 8 belong to company B. > > I'll assign, say, 10.10.1.1 to client 1, 10.10.1.2 to client 2, and so > on, basically 10.10.1.0/24 to company A, and 10.10.2.0/24 to company B. > > All clients will connect to the same VPN server, but this server will > automatically assign the right IP address, based on the username. So, in > order to keep packets within each customer's network, I do something like: > > iptables -P FORWARD DROP > > iptables -A FORWARD -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT > iptables -A FORWARD -s 10.10.2.0/24 -d 10.10.2.0/24 -j ACCEPT > iptables -A FORWARD -s 10.10.3.0/24 -d 10.10.3.0/24 -j ACCEPT > ... > > > So for every company I add, I need a new rule. Is this the only way to > go, or is there an easier way to do this? Add rules for all possible clients, and leave it like that? Just track which subnets you've assigned to who.
|
|
04-22-2005
|
|||
|
|||
|
Re: IPTABLES question, multiple rules
Yes, thats how I do it, but I'm worried about performance. Every packet
arriving on the interfaces must be checked with a couple of tens of rules. Mike Mol wrote: > Add rules for all possible clients, and leave it like that? Just track > which subnets you've assigned to who. > hjf -- Sí esta atascado, fuércelo. Sí se rompe, es que necesitaba ser reemplazado. http://www.hjf.com.ar/
|
|
04-22-2005
|
|||
|
|||
|
Re: IPTABLES question, multiple rules
<snip>
> So, in order to keep packets within each customer's network, I do something like: >iptables -P FORWARD DROP >iptables -A FORWARD -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT >iptables -A FORWARD -s 10.10.2.0/24 -d 10.10.2.0/24 -j ACCEPT >iptables -A FORWARD -s 10.10.3.0/24 -d 10.10.3.0/24 -j ACCEPT .... You are right. IMHO, I think there should be easier way to keep packets within it's own network, have you tried denying the access of packet from other network? Let me know. -- Raqueeb Hassan Bangladesh
|
Linear Mode
