Hi. Here is a diagram of my current setup
Internal NetworkA (Connected to Eth0 on Linux Box)
=============
PC1: 192.168.29.10
PC2: 192.168.29.11
ADSL Gateway: 192.168.29.1
Slackware 10 BRIDGE
===============
br0: 192.168.29.100
WHAT I DID
ifconfig eth0 down ;
ifconfig eth1 down ;
brctl addbr br0 ;
brctl addif br0 eth0 ;
brctl addif br0 eth1 ;
ifconfig eth0 0.0.0.0 ;
ifconfig eth1 0.0.0.0 ;
ifconfig br0 192.168.29.100 ;
route add default gw 192.168.29.1 br0
brctl setbridgeprio br0 1
EXTERNAL NETWORK B
Connected to Eth1 on Linux Box)
================
PC3: 192.168.29.20(Gateway is set to 192.168.29.1)
PC4: 192.168.29.21(Gateway is set to 192.168.29.1)
Ok..so it looks like this:
LINUX
Internal NetworkA --> eth0 eth1<----- External NetworkB
!** br0 **!
Ping Results at the moment( Before loading of the firewall script)
=============================================
Internal NetworkA PC's can Ping and Access PC on External NetworkB
and VISA VERSA.
linux PC can Ping Internal NetworkA PC's and also External NetworkB.
Ok....this means that External NetworkB can use the internet and access Internal Shares 100%. This works at the moment.Internet on External NetworkB Running VIA the Router in Internal NetworkA.
WHAT I WANT TO DO IS:
=================
I want the "FIREWALL" script to do the following:
* Block "ALL INCOMMING" trafic from the "External NetworkB(Eth1)", so all trafic going to the Br0(192.168.29.100) from "External NetworkB(Eth1)" will be DROPED.
* Trafic from "External NetworkB" will mostly goto the ADSL Router(192.168.29.1) for internet Access.So this MUST BE BLOCKED by the Linux Box.
* Now...i want to "ALLOW" only sertain IP in "EXTERNAL NETWORKB" to get acces to "Internal NEtworkA" and so be allowed to get access to the internet and internal network PC's
=====================================
All Internal NetworkA PC's will have access to the ADSL router,which is what i want. Becuase the Router is INSIDE the Internal Network...and not on the other side of the brigde, the bridge firewall will then have NO effect on "Internal NetworkA" trying to access the ADSL Internet...which is 100% fine
"I think this statement is correct"
MY CURRENT FIREWALL SCRIPT
===========================
Run script: > chmod +x firewall
> ./firewall RUN THE SCRIPT
#!/bin/bash
# SN: 13098209 | Pieterse, Iwan | Copyright 2002-2004 (ssengnihtoN Basic Script)
# Reset the default policies in the filter table.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP # While loading.
# Reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Reset the counters.
iptables -Z
# Turning on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# ICMP Broadcasting protection.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Colour constants.
cyan="\033[40;36m" # Configuration
#
# Configuration
#
LocalNetwork="192.168.29.20" # IPs to allow internet access
echo -e "$cyan IP(s) to FORWARD, MASQUERADE and DROP: $LocalNetwork"
# Values to use for logging.
LIMITLOG="-m limit --limit 4/h --limit-burst 1 -j LOG --log-level alert --log-tcp-sequence --log-tcp-options --log-ip-options --log-ip-options --log-prefix"
# Constants
ALL="INPUT FORWARD OUTPUT"
VIOLATE="-m recent --set --name VIOLATED -j DROP"
#
# Drop INPUT from hosts in the VIOLATED list.
#
iptables -A INPUT -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 300 -j DROP
iptables -A FORWARD -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 120 -j DROP
#
# Accept ESTABLISHED and RELATED connections on ports 1024:65535
#
for Chain in $ALL; do
iptables -A $Chain -m state --state ESTABLISHED -j ACCEPT
iptables -A $Chain -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
iptables -A $Chain -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
done
#
# IP(s) to FORWARD, MASQUERADE and DROP.
#
for IP in $LocalNetwork; do
# Accept all your LAN IP(s) explicitly.
iptables -A INPUT -s $IP -i eth+ -j ACCEPT
# Forward your LAN.
iptables -A FORWARD -i eth+ -o ppp+ -s $IP -d ! $IP -j ACCEPT
iptables -A FORWARD -i ! ppp+ -m state --state NEW -s $IP -j ACCEPT
# Masquerading.
iptables -t nat -A POSTROUTING -o ppp+ -s $IP -d ! $IP -j MASQUERADE
done
#
# Explicit ACCEPT / helper modules only!
#
for Chain in $ALL; do
iptables -A $Chain -m helper --helper irc -j ACCEPT
iptables -A $Chain -m helper --helper ftp -j ACCEPT
done
#
# Interpret
#
iptables -t mangle -A POSTROUTING -o ppp+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# IRC priority/precedence.
iptables -t mangle -A PREROUTING -p tcp --dport 6667 -j TOS --set-tos Minimize-Delay
#
# Unauthorized Packets.
#
iptables -N Attack
iptables -A INPUT -m state --state NEW -j Attack
iptables -A Attack $LIMITLOG "Unauthorized Packet: "
iptables -A Attack $VIOLATE
iptables -A Attack -j DROP
#
# Change default policy.
#
iptables -P OUTPUT ACCEPT
============================================
My Problem with Script
As you will see with above script.....only PC3(192.168.29.20) on the External NetworkB will be given access through the bridge into "Internal NetworkA" and so be ably to use the Internet.This does work becuase PC3 can still ping "Internal NetworkA" and access the Internet. BUT SO CAN THE OTHER PC's,LIKE PC4 on Extrenal NetworkB which WAS NOT Allowed inside the script. SO IS LOOKS LIKE the script does not Block any Trafic or IP's
Acording to the script, only PC3(192.168.29.20) will have access to internet, and it does...But if i change PC3's ip to 192.168.29.50(which does not have access) it still has internet access and still can ping internal PC's
Ping Results NOW( AFTER loading of the firewall script)
=============================================
* I can't ping the Linux box(192.168.29.100) from Internal or External Networks.Which is ok becuase i don;t need to ping it....but anyways...this was possible before i loaded the script.
* Linux box can Ping "INTERNAL NETWORKA" Pc's, but can;t ping "EXTERNAL PC".No reply from Extrenal Network PC's.
MY QUESTION IS: WHAT IS WRONG WITH MY SCRIPT? Can anybody find a problem here?
I didn't write this script myself...someone gave it to me and i just edited it.
P L E A S E H E L P
thnx
