How to filter Internet access through a backup external channel?

O

openkazan2018-04-06 09:39:30

iptables

openkazan, 2018-04-06 09:39:30

There is 1 LAN and 2 external channels. The second uplink with the worst channel is a reserve and switching to it occurs automatically using a script:
the rules are initially written
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o rth1 -j MASQUERADE
and the script simply changes default route
Everything works, everything is fine.
Task: when switching to a backup channel (eth1), it is necessary to prohibit access to the Internet from the local area to everyone except 2x IP.
But so that when switching to the main one, everyone went online.
PS: in iptables, well, not a specialist at all, but the task is on fire. Needed right now.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

krosh, 2018-04-10
@krosh

Use the FORWARD chain to filter passing traffic.
I don’t know what you have there now, but the correct solution should contain the following rules:

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "РАЗРЕШЕНО Установленные соединения" -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -o eth0 -m comment --comment "РАЗРЕШЕНО Локальная сеть, основной канал" -j ACCEPT
iptables -A FORWARD -s 192.168.0.101 -o rth1 -m comment --comment "РАЗРЕШЕНО Человек первый хороший, резервный канал" -j ACCEPT
iptables -A FORWARD -s 192.168.0.102 -o rth1 -m comment --comment "РАЗРЕШЕНО Человек второй хороший, резервный канал" -j ACCEPT