Hi!
I have a kind of different network configuration.
The problem is having a firewall(ubuntu)!
So:
eth0 - connected to a cisco router (behind even more networks)
eth1 - connected to a cisco router2 and bridge to vmware workstation.
wlan0 - connected to Internet via adsl
Cisco routers are routing rip between each other.
Everything works, problem is that i want to configure a firewall in ubuntu. The firewall should protect from wlan0 but no security between
eth0 and eth1.
Im not so good with iptables. Tried Firestarter and Guarddog but they are allways blocking one of the ethernet interfaces (see's it as external network). Pls help!!

Attached

Attached Files

my_network.pdf (79.8 KB, 40 views)

OK! I've done some reading on iptables and this is what i came up with:
------------------------------------------------------------------------
#!/bin/bash
# flush all chains
iptables -F
#Set the default policy for each of the pre-defined chains
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#User-defined chain for ACCEPTed packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
#Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth0 -s 192.168.22.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -s 192.168.23.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 192.168.55.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.22.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.23.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.55.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.70 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 192.168.22.255 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 192.168.23.255 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.55.255 -j ACCEPT
#Packets for established connections
iptables -A INPUT -p ALL -d 192.168.0.70 -m state --state \ESTABLISHED,RELATED -j ACCEPT
#TCP rules
#iptables -A INPUT -p TCP -i wlan0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth1 -s 192.168.55.1 -d 192.168.0.70 --destination-port 1974 -j okay
#UDP rules
#iptables -A INPUT -p UDP -i wlan0 -s 0/0 --destination-port 53 -j ACCEPT
#ICMP rules
#iptables -A INPUT -p ICMP -i wlan0 -s 0/0 --icmp-type 8 -j ACCEPT
#iptables -A INPUT -p ICMP -i wlan0 -s 0/0 --icmp-type 11 -j ACCEPT
#Forward chain rules
#Accept the packets we want to forward
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i wlan0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
----------------------------------------------------------------------
Communication between eth0 and eth1 works, and they both have access to internet. Problem : Ubuntu doesn't have access to internet. Pls tell me what i am doing wrong!

Where do you masquerade your packets going from LANs to WAN ?

I haven't seen any firewall rule for that.

Don't need that- etho,eth1 and vlan0 are routed via rip or static routes.
My ADSL router takes care of the NAT.
Fond a problem , now it looks like it works:
iptables -P OUTPUT DROP #changed to ACCEPTED

What im trying to do is to have different segments all behind a ADSL router which is connected to Internet. The firewall in that router is quite bad. So i am trying to protect the segments from my own wireless segment even i dont really have to

Still have to do some reading about opening ports between the segments.
Im studying CISCO so i dont have that much time for iptables!