LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables rules to limit nat forwarding (http://www.linuxquestions.org/questions/linux-security-4/iptables-rules-to-limit-nat-forwarding-4175417665/)

sleepylight 07-19-2012 04:33 PM

iptables rules to limit nat forwarding
 
Hi,

I need to build a DMZish firewall. I have two networks. One local to a lab with a 10.40.1.X/24 network and a second, which is a subnet of a much larger network (we'll say 192.168.14.X/24). I have a host sitting between the two networks acting as a router, and my IP forwarding works just fine, but what I'd like to do is restrict any traffic coming from the 10.40.1.X network to only access hosts in the 192.168.14.X network. Right now, my firewall allows anything on the 10.40.1.X network to pass through the router, through the 192.168.14.1 network and out to the internet. It's the last hop I need to curtail.

If I'm unclear, let me try and draw what I have and what I need.

lab (NATed) network 10.40.1.X
infrastructure network 192.168.14.X
lab router eth0 = 192.168.14.65
lab router eth1 = 10.40.1.1
infrastructer router 192.168.14.1

lab -> lab is ok
10.40.1.X to 10.40.1.X OK

lab -> infrastucture is ok
10.40.1.X -> 192.168.14.2-255 OK

lab -> infrastucture router needs to be disallowed
10.40.1.X -> 192.168.14.1 NOT OK

lab -> anything other than infrastructure network to be disallowed
10.40.1.X -> facebook.com NOT OK

I'll post the iptables I have now, but I'd really appreciate some help getting them into shape. I'm sure I need to adjust the FORWARD and input chains, I'm just not sure of the syntax. Thanks for the help.

:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

jschiwal 07-19-2012 07:06 PM

You could simply remove the default gateway entry from your router host's routing table. The there won't be a matching route for an external IP address but one for the infrastructure network.

The default gateway for hosts in the lab should be 10.40.1.1. That will allow traffic to the infrastructure via eth0 on the lab router.

You could replace these two rules:
Code:

-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT

with rules allowing forwarding only between 10.40.1.0/24 and 192.168.14.0/24 but it shouldn't be absolutely necessary unless you can't trust the hosts in the lab not to change the default gateway to the infrastructure's router.


All times are GMT -5. The time now is 11:38 AM.