hello everyone

I have question about creating iptables zones and managing traffic with zones. In my example does that mean that in IZONE only accepts traffic from the external interface "eth0" and sends to it? and do I need to define any more: "iptables -A IZONE -i eth0" and "iptables -A IZONE -o eth0"


Example:

IP address:
eth0/192.168.1.100

Interfaces:
eth0 - external interface
eth1 - internal interface

#!/bin/bash

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -Z

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N IZONE
iptables -N LZONE

iptables -A INPUT -i eth0 -j IZONE
iptables -A OUTPUT -o eth0 -j IZONE

iptables -A INPUT -i eth1 -j LZONE
iptables -A OUTPUT -o eth1 -j LZONE

iptables -A IZONE -p tcp -s 192.168.1.100 -d 8.8.8.8 --dport 53 -m conntrack --ctstate \
NEW,ESTABLISHED -j ACCEPT
iptables -A IZONE -p tcp -s 8.8.8.8 -d 192.168.1.100 --dport 53:65535 -m conntrack --ctstate \
ESTABLISHED -j ACCEPT

iptables -A IZONE -p tcp -s 192.168.1.100 -d 0/0 --dport 80 -m conntrack --ctstate \
NEW,ESTABLISHED -j ACCEPT
iptables -A IZONE -p tcp -s 0/0 -d 192.168.1.100 --dport 80:65535 -m conntrack --ctstate \
ESTABLISHED -j ACCEPT


Thank you

I'm not seeing any Netfilter-centric "zoning" concept here: just usage of arbitrary chain names.


Yes, the filter table INPUT chain routes all traffic from eth0 to chain "IZONE", just like the filter table INPUT chain routes all traffic from eth1 to chain "LZONE".


Try putting into words what those rules would do and explain what you are trying to accomplish?

Thank you

you completely answered my question about how traffic is redirected from INPUT -i eth0 to chain IZONE so I don't need to write rule like: iptables -A INPUT -i eth0 -p tcp .... instead I can iptables -A IZONE -p tcp .... it means that traffic comes from eth0 interface. About "zones" I was wrong that it is chains I am creating (IZONE,LZONE). but I have read that "The firewalld daemon manages groups of rules using entities called "zones". Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow."

So as level of trust for local network I will use GZONE (green zone) name of chain and for internet RZONE (red zone) name of the chain an then dictate what to traffic will be blocked and where it will go, will this chains function like zones?

I do not have any clue (yet) as to how firewalld handles "zones" (as one of the first things I do is disable firewalld and enable good 'ol iptables.service) so if you want to stay with the "zone" concept then using whatever interface firewalld provides for managing rule sets is probably the most efficient way?..

well I do the same when I configure firewall remove firewalld and install iptables-services. I don't want to stay with zone concept, I was just interested that is there some advantages of using zones. If zones, as written are set of rules assigned to network interface and firewalld controls behavior what should be allowed, it means that I can do same with iptables. for example: name chains "zone" names redirect traffic from specific interface to that chain "zone" and manage set of rules associated to that chain "zone" as I need. There is nothing new I guess.

Indeed AFAIK there is nothing "new" in firewalld (as in changes to the Netfilter framework) and I seriously loathe any interface that vomits CSF, Control Panel-driven or UFW-like rule sets.

1 members found this post helpful.

thanks for your answers

You're welcome. Please mark this thread solved when done?

of course.