iptables: separate clients from each other

Posted by Florian Lagg on Super User See other posts from Super User or by Florian Lagg
Published on 2010-05-18T16:36:51Z Indexed on 2010/05/18 16:41 UTC
Read the original article Hit count: 215

Filed under:

subnet

|

iptables

|

security

Hello, is there a way to separate clients in a subnet so that they cannot reach each other?

The infrastructure currently looks like this:

192.168.0.1/24 Gateway, a CentOS box with iptables.
192.168.0.10-20 Some clients which may reach each other
192.168.0.30 A single client which
- should not be able to reach the hosts 192.168.0.10-20
- should be able to reach the gateway and the internet

I don't know if it is possible, maybe you could give me your ideas how it could be done. I cannot influence the machine 192.168.0.30 because it is a virtual machine I want to rent to someone. Thanks.

© Super User or respective owner

Related posts about subnet

Can I subnet a subnet?

as seen on Server Fault - Search for 'Server Fault'
Apologies in advance for the botched terminology. I have read the Server Fault Subnet Wiki but this is more of an ISP question. I currently have a /27 block of public IPs. I use give my router the first address in this pool and then use 1-to-1 NAT for all the servers behind the firewall, so that… >>> More
Connecting to a remote server through OpenVPN when local network subnet conflicts with remote network's subnet

as seen on Server Fault - Search for 'Server Fault'
After connecting to a remote location via OpenVPN, I am trying to access a server on a network that exists on a subnet such as 10.0.1.0/24. However, the network I am trying to access this remote server from is on the same subnet: 10.0.1.0/24. I am unable to connect to my remote server via typing… >>> More
How to Route Traffic in Case PPTP Remote Client is on Same Subnet as Server

as seen on Server Fault - Search for 'Server Fault'
I've a PPTP server setup on my local home network (192.168.1.0/24, pfSense). Now sometimes when I'm away and want to connect remotely my client (Windows 7) is also on the same network because e.g. the hotel has set it up the same way. Thus the connection works, but I can't reach any PC on my home… >>> More
Changing subnet-mask of class-c network host to 255.255.0.0

as seen on Server Fault - Search for 'Server Fault'
We have a existing class-c network with IP address range 11.22.33.44/24 (just for example). My domain controller has been configured within this subnet. So all servers within this subnet have subnet mask configured to 255.255.255.0. Now we have got a new subnet with IP address 11.22.88.99/24 (note… >>> More
Issues resolving DNS entries for multi-homed servers

as seen on Server Fault - Search for 'Server Fault'
This is difficult to explain, so bear with me. We have 2 domain controllers, each multi-homed to straddle 2 internal subnets, (subnet A and subnet B) and provide dns, dhcp, and ldap authentication. Both domain controllers each have 2 DNS entries. both entries have identical host names, but correspond… >>> More

Related posts about iptables

Sometimes this script fails to update the iptables

as seen on Server Fault - Search for 'Server Fault'
It does not happen often, but sometimes after running the below script, checking the iptables with service iptables status shows that they weren't updated and the script doesn't output any error. The iptables is structured as look-up tree (long repeated sections snipped): #!/bin/sh iptables -t… >>> More
My current iptable configuration doesn't work [on hold]

as seen on Server Fault - Search for 'Server Fault'
sudo chkconfig iptables off /etc/init.d/iptables on ### Clear/flush iptables sudo iptables -F sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT ### Allow SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables… >>> More
L2TP iptables port forward

as seen on Server Fault - Search for 'Server Fault'
Hi all, I'm setting up port forwarding for an L2TP VPN connection to the local Windows 2003 VPN server. The router is a simpel Debian machine with iptables. The VPN server works perfect. But I cannot log in from the WAN. I'm missing something. The VPN server is using a pre-shared key (L2TP) and… >>> More
iptables -P FORWARD DROP makes port forwarding slow

as seen on Server Fault - Search for 'Server Fault'
I have three computers, linked like this: box1 (ubuntu) box2 router & gateway (debian) box3 (opensuse) [10.0.1.1] ---- [10.0.1.18,10.0.2.18,10.0.3.18] ---- [10.0.3.15] | box4, www [10.0.2.1] Among other… >>> More
IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables

as seen on Server Fault - Search for 'Server Fault'
I was thinking initially needing to do a reverse proxy or something so I could get some SSL/TLS traffic look like it is being terminated at a server and IP address in the AWS cloud, and then that traffic is forwarded onto our actual web servers that aren't in the cloud... I've not done much iptables… >>> More