IPTABLES question, multiple rules

Hi, I have a question. I've set up a PPTP server with PoPToP for a VPN
server. This server will be shared among several customers, each one a
different company with many connections. So i'll have:
CLIENTS 1, 2, 3, 4 belong to company A
clients 5, 6, 7 and 8 belong to company B.

I'll assign, say, 10.10.1.1 to client 1, 10.10.1.2 to client 2, and so
on, basically 10.10.1.0/24 to company A, and 10.10.2.0/24 to company B.

All clients will connect to the same VPN server, but this server will
automatically assign the right IP address, based on the username. So, in
order to keep packets within each customer's network, I do something like:

iptables -P FORWARD DROP

iptables -A FORWARD -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.10.2.0/24 -d 10.10.2.0/24 -j ACCEPT
iptables -A FORWARD -s 10.10.3.0/24 -d 10.10.3.0/24 -j ACCEPT
....


So for every company I add, I need a new rule. Is this the only way to
go, or is there an easier way to do this?


hjf

--
Sí esta atascado, fuércelo. Sí se rompe, es que necesitaba ser reemplazado.

http://www.hjf.com.ar/
hjf

--
Sí esta atascado, fuércelo. Sí se rompe, es que necesitaba ser reemplazado.

http://www.hjf.com.ar/

Hernán Freschi wrote:
> Hi, I have a question. I've set up a PPTP server with PoPToP for a
VPN
> server. This server will be shared among several customers, each one
a
> different company with many connections. So i'll have:
> CLIENTS 1, 2, 3, 4 belong to company A
> clients 5, 6, 7 and 8 belong to company B.
>
> I'll assign, say, 10.10.1.1 to client 1, 10.10.1.2 to client 2, and
so
> on, basically 10.10.1.0/24 to company A, and 10.10.2.0/24 to company
B.
>
> All clients will connect to the same VPN server, but this server will

> automatically assign the right IP address, based on the username. So,
in
> order to keep packets within each customer's network, I do something
like:
>
> iptables -P FORWARD DROP
>
> iptables -A FORWARD -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT
> iptables -A FORWARD -s 10.10.2.0/24 -d 10.10.2.0/24 -j ACCEPT
> iptables -A FORWARD -s 10.10.3.0/24 -d 10.10.3.0/24 -j ACCEPT
> ...
>
>
> So for every company I add, I need a new rule. Is this the only way
to
> go, or is there an easier way to do this?

Add rules for all possible clients, and leave it like that? Just track
which subnets you've assigned to who.

Yes, thats how I do it, but I'm worried about performance. Every packet
arriving on the interfaces must be checked with a couple of tens of rules.

Mike Mol wrote:

> Add rules for all possible clients, and leave it like that? Just track
> which subnets you've assigned to who.
>


hjf

--
Sí esta atascado, fuércelo. Sí se rompe, es que necesitaba ser reemplazado.

http://www.hjf.com.ar/

<snip>

> So, in order to keep packets within each customer's network, I do
something like:

>iptables -P FORWARD DROP

>iptables -A FORWARD -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT
>iptables -A FORWARD -s 10.10.2.0/24 -d 10.10.2.0/24 -j ACCEPT
>iptables -A FORWARD -s 10.10.3.0/24 -d 10.10.3.0/24 -j ACCEPT
....


You are right. IMHO, I think there should be easier way to keep packets
within it's own network, have you tried denying the access of packet
from other network? Let me know.


--
Raqueeb Hassan
Bangladesh