LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-19-2012, 03:33 PM   #1
sleepylight
Member
 
Registered: Apr 2004
Location: Joppa
Posts: 30

Rep: Reputation: 16
iptables rules to limit nat forwarding


Hi,

I need to build a DMZish firewall. I have two networks. One local to a lab with a 10.40.1.X/24 network and a second, which is a subnet of a much larger network (we'll say 192.168.14.X/24). I have a host sitting between the two networks acting as a router, and my IP forwarding works just fine, but what I'd like to do is restrict any traffic coming from the 10.40.1.X network to only access hosts in the 192.168.14.X network. Right now, my firewall allows anything on the 10.40.1.X network to pass through the router, through the 192.168.14.1 network and out to the internet. It's the last hop I need to curtail.

If I'm unclear, let me try and draw what I have and what I need.

lab (NATed) network 10.40.1.X
infrastructure network 192.168.14.X
lab router eth0 = 192.168.14.65
lab router eth1 = 10.40.1.1
infrastructer router 192.168.14.1

lab -> lab is ok
10.40.1.X to 10.40.1.X OK

lab -> infrastucture is ok
10.40.1.X -> 192.168.14.2-255 OK

lab -> infrastucture router needs to be disallowed
10.40.1.X -> 192.168.14.1 NOT OK

lab -> anything other than infrastructure network to be disallowed
10.40.1.X -> facebook.com NOT OK

I'll post the iptables I have now, but I'd really appreciate some help getting them into shape. I'm sure I need to adjust the FORWARD and input chains, I'm just not sure of the syntax. Thanks for the help.

:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 
Old 07-19-2012, 06:06 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You could simply remove the default gateway entry from your router host's routing table. The there won't be a matching route for an external IP address but one for the infrastructure network.

The default gateway for hosts in the lab should be 10.40.1.1. That will allow traffic to the infrastructure via eth0 on the lab router.

You could replace these two rules:
Code:
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
with rules allowing forwarding only between 10.40.1.0/24 and 192.168.14.0/24 but it shouldn't be absolutely necessary unless you can't trust the hosts in the lab not to change the default gateway to the infrastructure's router.

Last edited by jschiwal; 07-19-2012 at 06:18 PM.
 
  


Reply

Tags
dmz, iptables, nating


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables nat port forwarding.. Gangrif Linux - Networking 1 09-13-2011 03:49 PM
Programming iptables rules for 1:1 NAT jacques83 Linux - Security 18 09-21-2010 05:07 PM
IPTABLES rules for NAT of machines through the PPP interface MarkEHansen Linux - Networking 6 06-15-2007 01:19 PM
iptables rules for emule in nat box eantoranz Linux - Networking 3 08-08-2005 09:37 PM
iptables -t nat -L not showing all rules alpha-wolf Linux - Networking 0 08-14-2001 06:36 AM


All times are GMT -5. The time now is 07:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration