IPTABLES allow connection to a list of IPs to a specific user (ip) - block all the rest from this user only

Andreluiz

1/29/23, 1:45 PM

We all have that user that needs to access only a certain range of IPs in a network were everyone has access to internet so...

# IP forward
echo "1" > /proc/sys/net/ipv4/ip_forward
# CleanUP
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat

# Lets drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

#  Masking
iptables -A POSTROUTING -t nat -o $IF_EXTERNAL -j MASQUERADE

# ALLOW ONLY ACCESS LIST TO 192.168.10.10 REST OF INTERNET IS BLOCKED
ALLOW_IP_RANGE="8.8.4.0/24 8.8.8.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20"
iptables -N ALLOWIPRANGE
for IPLIST in $ALLOW_IP_RANGE; do
    iptables -I FORWARD -m tcp -p tcp --destination $IPLIST -j ALLOWEDIPS
done
iptables -I ALLOWEDIPS -s 192.168.10.10 -j ACCEPT
iptables -A FORWARD    -s 192.168.10.10 -j REJECT

# Forward the rest of internet to every one else
iptables -A FORWARD -i @IF_INTERNAL -j ACCEPT

This is not working and I tried to move the:

iptables -A FORWARD -s 192.168.10.10 -j REJECT

from the beginning to the end, but the IP still gets full internet.

113

0 + 0

linux

firewall

iptables

Score:3

Server

Aleksandr Chendev

1/29/23, 5:19 PM

Probably this is not a clean solution, but it will work

All users will have access to the internet except restricted user

# Define variables
USER_IP=172.16.0.101
ALLOW_IPS="1.2.3.4 2.3.4.5 3.4.5.6"
IF_EXTERNAL=vmbr0

# Clearing iptables from previous allow ip rules by comment and masquerade
iptables-save | grep -v "userrestricted\|MASQUERADE" | iptables-restore

# Generate rules for masquerading from restricred user(ip)
for ALLOW_IP in $ALLOW_IPS
do
iptables -t nat -A POSTROUTING -s ${USER_IP} -d ${ALLOW_IP} -o ${IF_EXTERNAL} -j MASQUERADE -m comment --comment userrestricted
done

# Trick with SNAT will invalidating target packets
iptables -t nat -A POSTROUTING -s ${USER_IP} -o ${IF_EXTERNAL} -j SNAT --to 127.0.0.1 -m comment --comment userrestricted

# Get common masquerade rule back
iptables -t nat -A POSTROUTING -o ${IF_EXTERNAL} -j MASQUERADE

It works for me, make sure you have common masquerade rule after restricted user rules

Please check it, if it's not what you want i can correct answer

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: IPTABLES allow connection to a list of IPs to a specific user (ip) - block all the rest from this user only

TH: IPTABLES อนุญาตการเชื่อมต่อกับรายการ IP กับผู้ใช้เฉพาะ (ip) - บล็อกส่วนที่เหลือทั้งหมดจากผู้ใช้รายนี้เท่านั้น

RO: IPTABLES permit conectarea la o listă de IP-uri la un anumit utilizator (ip) - blocați restul numai de la acest utilizator

RU: IPTABLES разрешают подключение к списку IP-адресов конкретному пользователю (ip) - блокируют все остальные только от этого пользователя

VI: IPTABLES cho phép kết nối với danh sách IP cho một người dùng cụ thể (ip) - chỉ chặn tất cả phần còn lại từ người dùng này

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.