Blocking all except few host via iptables.

[azfar]

I have few clients that require only few destinations to access. I want to setup it by iptables via any method i-e Destination IP address based or Domain name based.
Is it possible.

[lambda]

yes, it's possible.

[linuxgossip]

If eth0 is ur externel interface...... i.e. the interface which is either connected to the internet or the interface which is not connected to the LAN=eth1 (your clients i assume have LAN ip address).

then issue the following commands :

/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address1>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address2>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address3>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p all --destination xyz.com -m state --state RELATED,ESTABLISHED -i eth0 -j ACCEPT

/sbin/iptables -A INPUT -p all --destination 0/0 -m state --state NEW -i eth0 -j DROP

You better write these lines to a file..with any filename u like and save it (say save it in root directory with filename as allow-destination)
[root@Fed3 ~]# chmod +x /root/allow-destination <hit-enter>
[root@Fed3 ~]#/root/allow-destination <hit enter>

Next add a line /root/allow-destination at the bottom of your /etc/rc.local file.... so that on any reboot the above commands get run automatically.

Regards,

linuxgossip

Enjoy Linux !

[azfar]

Thanks All I am currently doing it like following and its working but I am also going to try your one.

iptables -A FORWARD -s 202.69.48.170 -d worldspan.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.worldspan.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d aeroasia.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.aeroasia.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d shaheenair.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.shaheenair.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d airblue.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.airblue.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.49.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.48.0/255.255.255.128 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.48.128/255.255.255.128 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d gmail.google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 0/0 -j REJECT

[azfar]

Well I am facing a problem here that I am able to control this on static sites but cant able on sites like hotmail.com or mail.yahoo.com
Although I added as many sites which on they redirect but still not able to fix it completety. Ay idea.

[linuxgossip]

Dear Azfar,

I am sure if u use my example.. u 'll finally be successful..bcoz
after issuing ACCPET to known and intended sites/address/destination I have used the following command in the last line

/sbin/iptables -A INPUT -p all --destination 0/0 -m state --state NEW -i eth0 -j DROP

This blocks all excpet those address/destinations that u have allowed.

Also make sure u write the DROP command in the last line.
Regards,

linuxgossip

Enjoy Linux !