LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-03-2007, 07:32 AM   #1
t0bias
Member
 
Registered: Aug 2005
Distribution: Fedora 13, RHEL 5.3, Ubuntu 10.04, Debian Lenny
Posts: 128

Rep: Reputation: 16
iptables: deny connections from dmz to lan


hi there,

i need to drop any packages from the dmz to lan, so i tried
iptables -A INPUT -s 172.16.1.0/24 -d 10.0.10.0/24 -j DROP
as well as
iptables -A FORWARD -s 172.16.1.0/24 -d 10.0.10.0/24 -j DROP
but i can still connect.
what did i do wrong?

thanks,

toby
 
Old 10-03-2007, 07:46 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You really should do this by specifying the interfaces instead of the networks IMHO.

Assuming your DMZ is on eth2 and your LAN is on eth1, it would go like:
Code:
iptables -I FORWARD -i eth2 -o eth1 -j DROP
But you should really try to make these type of rules non-necessary in the first place. To do that, you set your policy to DROP and then make exceptions by adding ACCEPT rules. Since you wouldn't have an ACCEPT rule for DMZ to LAN traffic, it would be firewalled by default. It's just a suggestion.

Last edited by win32sux; 10-03-2007 at 07:53 AM.
 
Old 10-03-2007, 07:51 AM   #3
t0bias
Member
 
Registered: Aug 2005
Distribution: Fedora 13, RHEL 5.3, Ubuntu 10.04, Debian Lenny
Posts: 128

Original Poster
Rep: Reputation: 16
well i cannot connect via ssh to the hosts in the dmz from the lan anymore then..?
 
Old 10-03-2007, 07:56 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by t0bias View Post
well i cannot connect via ssh to the hosts in the dmz from the lan anymore then..?
Sure, just have a rule for RELATED,ESTABLISHED packets fall on top. Like:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -m state --state NEW -j DROP
So now connections can be started from eth1 to eth2 but not vice-versa.

Once again, you really should try to make these DROP rules non-necessary if possible.

Last edited by win32sux; 10-03-2007 at 08:15 AM.
 
  


Reply

Tags
drop, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DMZ to LAN rsync reckless2k2 Linux - Networking 4 06-10-2007 06:16 AM
question about iptables (DMZ machine connect to other DMZ machine 's publuic IP) wingmak Linux - Security 1 01-20-2007 04:01 PM
deny ssh access from lan with iptables NuLLiFiEd Linux - Security 10 12-01-2005 07:11 PM
Deny connections from an IP, a whole Class C,... sarmadys Linux - Security 3 01-04-2005 07:52 AM
IPTABLES - LAN can't get to DMZ with public IP dknell Linux - Security 4 02-28-2002 08:02 AM


All times are GMT -5. The time now is 03:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration