I have sort of a unique situation here and I am trying to design a ruleset to cover it...

I have 3 networks which we can call CompanyA, CompanyB, and Services

Company A and CompanyB need to have pretty much unfettered communication. The Services network has things like webservers and other things that need to be accessed from both CompanyA and CompanyB. I want to allow access to Services via port 80, 8080, and 3389 (for terminal services) for the time being, all TCP.

So far the ruleset I have is this:
(eth0 is CompanyA, eth1 is CompanyB, eth2 is Services)

-A INPUT -j INPUT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 --protocol tcp --sport 80 -j ACCEPT
-A INPUT -i eth2 --protocol tcp --sport 8080 -j ACCEPT
-A INPUT -i eth2 --protocol tcp --sport 3389 -j ACCEPT
-A INPUT -i eth2 -j DROP
-A OUTPUT -o eth2 --protocol tcp --sport 80 -j ACCEPT
-A OUTPUT -o eth2 --protocol tcp --sport 8080 -j ACCEPT
-A OUTPUT -o eth2 --protocol tcp --sport 3389 -j ACCEPT
-A OUTPUT -o eth2 -j DROP


Keep in mind I'm a complete newbie to iptables and this is just what seems logical to me, so be gentle!

Does this look good or does this look like a wrong or incorrect way to do this?

Thanks!

OK a few things you need to do here....

firstly the INPUT and OUTPUT chains are only relevant for the actual gateway box itself. The FORWARD chain is for the packets beting sent through the gateway box. In other words any packets being sent from say CompanyA to Services will go through the FORWARD chain, so this is where most of your rules need to be.

Secondly sport means source port. When a http connection (for example) is established the client connects to port 80 in the server from a random(-ish) local port.

So what you want is rules that allow connections the the ports you listed on the FORWARD chain coming from eth0 or eth1 going to eth2

i.e.

-A FORWARD -i eth0 -o eth2 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -j ACCEPT

etc..

you can then use a state based rule to let the traffic back through

-A FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

this tells iptables to let though any connection from eth2 that has already been established, in other words it originated from a machine on CompanyA or B and this is the responce from Services.

you should also set your default policy to DROP

-P INPUT DROP
-p OUPUT DROP
-p FORWARD DROP

just be careful when you are intially testing if you are on a remote machine and haven;t set up a rule to allow ssh (or whatever you use) though then you will lock yourself out.

My advise would be to start small and work your way up. Start by getting CompanyA & B talking to each other, then start making changes to the rules to allow say port 80 services though to eth0 and go from there.

It may also be useful to log failed attempts so you can see what is going on, this can be extremely useful while you are setting up especially if you are not quite sure what the rules are going to do.

Something like

-A FORWARD -j LOG --log-prefix "FWD: "

will give you a list of all failed attempts on the forward chain (make sure this is the last rule in the set before the final DROP)

I also use a log coloriser to highlight the iptables stuff and just follow the logs as I go.

Hope this helps get you going

Rich
-