iptables rules to limit nat forwarding
I need to build a DMZish firewall. I have two networks. One local to a lab with a 10.40.1.X/24 network and a second, which is a subnet of a much larger network (we'll say 192.168.14.X/24). I have a host sitting between the two networks acting as a router, and my IP forwarding works just fine, but what I'd like to do is restrict any traffic coming from the 10.40.1.X network to only access hosts in the 192.168.14.X network. Right now, my firewall allows anything on the 10.40.1.X network to pass through the router, through the 192.168.14.1 network and out to the internet. It's the last hop I need to curtail.
If I'm unclear, let me try and draw what I have and what I need.
lab (NATed) network 10.40.1.X
infrastructure network 192.168.14.X
lab router eth0 = 192.168.14.65
lab router eth1 = 10.40.1.1
infrastructer router 192.168.14.1
lab -> lab is ok
10.40.1.X to 10.40.1.X OK
lab -> infrastucture is ok
10.40.1.X -> 192.168.14.2-255 OK
lab -> infrastucture router needs to be disallowed
10.40.1.X -> 192.168.14.1 NOT OK
lab -> anything other than infrastructure network to be disallowed
10.40.1.X -> facebook.com NOT OK
I'll post the iptables I have now, but I'd really appreciate some help getting them into shape. I'm sure I need to adjust the FORWARD and input chains, I'm just not sure of the syntax. Thanks for the help.
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
You could simply remove the default gateway entry from your router host's routing table. The there won't be a matching route for an external IP address but one for the infrastructure network.
The default gateway for hosts in the lab should be 10.40.1.1. That will allow traffic to the infrastructure via eth0 on the lab router.
You could replace these two rules:
|All times are GMT -5. The time now is 05:11 AM.|