IP networks and net masks
Tim Wunder
tim
Mon May 17 11:43:22 PDT 2004
On 1/24/2003 10:56 AM, someone claiming to be David A. Bandel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 24 Jan 2003 09:25:57 -0500
> begin Tim Wunder <tim at thewunders.org> spewed forth:
>
>
>>I'm currently using a freesco router to access the internet. Currnetly,
>>I have no controls on it for local access out to the internet. So my
>>son's PC accesses the internet by using the router as the gateway. Now,
>>I'd like to be able to allow only 192.168.1.2 (my PC/server) to be able
>>to access the internet through my router, and to run squid and
>>squid-guard (or dans guardian) on my server to control internet access.
>>
>>Now, freesco allows me to add IP addresses to /etc/banlist.cfg. I can
>>ban a single IP address by adding the line "l,192.168.1.5", or a network
>>
>>by adding "l,192.168.1.0/24". Can I use a netmask other than /24 that
>>would only allow 192.168.1.2 access to the 'net thru the router?
>>
>>Any other ideas for a means of controlling 'net access?
>
>
>
> I don't know about Freesco. However, under iptables it's very easy to
> redirect all systems attempting to bypass the Squid system back to the the
> squid system.
>
> Basically, only allow port 80 requests from squid's IP out, and redirect
> all queries from other systems back to squid. No worries. I believe in
> the iptables documentation they even have an example of how to set up this
> very task (if not, it's in the squid docs -- I know I've seen it).
>
Interesting. Thanks. I'll do that when I get the router part
straightened out. The way the router is set up, the server that would be
running squid can be bypassed just by specifying the router as the
gateway, so whatever iptables rules I set up would be irrelevant.
To rephrase my question...
If I add l,192.168.1.0/32, I'd be blocking everybody (I think...). Can I
use something like 192.168.1.0/30 and block everything above
192.168.1.2? I can then specifically block 192.168.1.1 and thus, have
what I want. I guess I can just try it and see what happens...
Tim
More information about the Linux-users
mailing list