LinuxQuestions.org
Support LQ: Use code LQCO20 and save 20% on CrossOver Office
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Bridge/Firewall Connection Problem
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 10-15-2004, 06:07 AM   #1
jhp
LQ Newbie
 
Registered: Jul 2004
Location: Derby, UK
Distribution: Arch, Fedora, Trustix
Posts: 21

Rep: Reputation: 15
Bridge/Firewall Connection Problem

Hi.

We have a branch which connects to the main site via a VPN connection. Recently, I've installed a Linux Bridge and I've just started to apply firewall rules to it.

Main site - 10.1.0.0 / 16 (yes, i know the subnet is iffy)
Branch - 10.5.0.0 / 16
ADSL Router - 10.5.0.1 /16
Bridge/FW - 10.5.0.2 /16

All machines at the site connect through the bridge fine and dandy. I've blocked them from seeing anything but the main site. The bridge also contains Squid and DansGuardian which is running wonderfully.

Only problem is, when I try to ping or connect to the bridge machine from the main site, it's very sporadic, certainly not a good enough connection to hold it open long enough to do anything. All the machines behind it ping and connect without any problems- the only way I can shell into it presently is to VNC into a workstation behind the router and then shell as if I were local to it!

Obviously, I'd like to be able to connect to 10.5.0.2 from 10.1.x.x. Anyone have any idea what's wrong with this script? It's only a basic one, but I'm sure there's a bit of something fundamental I've missed off.

Thanks in advance!

John


#
# flush existing
#
iptables -F

#
# policies on existing templates
#
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#
# input rules
# local, dns, ssh, http, socks, http -> dansg (8080)
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 10.1.0.0/16 --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT
iptables -A INPUT -i br0 -p tcp -d 10.5.0.2 -s 10.5.0.0/16 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -j DROP

#
# forwarding rules
#

#
# Allow everyone from the inside network to connect and
# for the reply packets to come back
#
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# This is to connect the VPN traffic
#
iptables -A FORWARD -s 10.1.0.0/16 -d 10.5.0.0/16 -j ACCEPT
iptables -A FORWARD -s 10.5.0.0/16 -d 10.1.0.0/16 -j ACCEPT
iptables -A FORWARD -s 10.5.0.0/16 -d 10.5.0.0/16 -j ACCEPT

#
# drop everything else
#
iptables -A FORWARD -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ntop on a bridge-firewall mago Linux - Networking 0 11-10-2005 08:53 PM
Can a firewall and bridge coexist? sys7em Linux - Networking 1 09-30-2005 12:43 AM
Firewall Bridge Lame Linux - Security 1 09-23-2004 04:50 PM
Firewall Bridge Lame Linux - Newbie 0 09-22-2004 05:13 AM
Firewall-Bridge Kernel Question eldavido Linux - Networking 3 09-26-2003 10:39 PM


All times are GMT -5. The time now is 01:09 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration