LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-29-2004, 02:46 PM   #1
Neelesh
LQ Newbie
 
Registered: Jul 2004
Posts: 4

Rep: Reputation: 0
Unhappy Iptables firewall in multiple lan interfaces


Hi, All

Can any one help me in building firewall in following enviorment

i have Fedora core 1 linux macine with 3 nic

1 nic has ipaddres 192.68.0.1 (eth0)
2 nic has ipaddres 172.24.0.1 (eth1)
3 nic has ipaddres 10.3.0.1 (eth2)

all the theree network default gateway is Linux box respectivley

defult gateway of linux box is 192.168.0.254

i want to achive the following scenario

1. 172 series lan should able to acces other two lans
2. 10 series lan should able to acces 192 only
3. 192. series can only access 172.

what iptables forwading policies will apply???
what route should i insert

Thanx a lot in advance .

-Neelesh
 
Old 07-29-2004, 11:39 PM   #2
osvaldomarques
Member
 
Registered: Jul 2004
Location: Rio de Janeiro - Brazil
Distribution: Conectiva 10 - Conectiva 8 - Slackware 9 - starting with LFS
Posts: 519

Rep: Reputation: 34
Hi Neelesh,
You have to think a firewall as a door. When the door is open, it can be transposed in both ways. So, if you have rules which permit nic 0 talk with nic1, you must have rules for nic 1 to talk with nic 0. In your case, if 172 can talk with 10 and 192, then 10 should be able to talk with 172, not 192.
 
Old 07-31-2004, 01:59 AM   #3
Neelesh
LQ Newbie
 
Registered: Jul 2004
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by osvaldomarques
Hi Neelesh,
You have to think a firewall as a door. When the door is open, it can be transposed in both ways. So, if you have rules which permit nic 0 talk with nic1, you must have rules for nic 1 to talk with nic 0. In your case, if 172 can talk with 10 and 192, then 10 should be able to talk with 172, not 192.
I made mistake

i want to make my 172 secure.. so No one should enter the 172.network

what polices should i use while forwading the packets in iptables

-Neelesh
 
Old 07-31-2004, 02:19 PM   #4
osvaldomarques
Member
 
Registered: Jul 2004
Location: Rio de Janeiro - Brazil
Distribution: Conectiva 10 - Conectiva 8 - Slackware 9 - starting with LFS
Posts: 519

Rep: Reputation: 34
Hi Neelesh,
Please, correct me if what I say is wrong:
- the 172 network is you internal network;
- the 192 network is your access to the public internet;
- the 10 network is for any public service you want to offer.
If the above statements are right, you need a firewall with DMZ (Demilitarized zone).
You can find several samples, tutorials and scripts for this in the following link www.linuxguruz.com/iptables.
Have a nice week end!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall : Multiple external interfaces rlore Linux - Security 2 06-28-2005 10:18 PM
Multiple WAN interfaces (FreeBSD Firewall) mxk *BSD 4 03-17-2005 12:21 PM
IPTables and multiple interfaces MaverickApollo Linux - Networking 7 12-28-2003 05:19 PM
iptables trouble, LAN to MySQL on Firewall dwynter Linux - Security 3 11-01-2002 07:50 AM
netfilter iptables and multiple interfaces raypen Linux - Networking 1 07-23-2002 10:07 PM


All times are GMT -5. The time now is 12:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration