Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OS---Debian-5-(lenny)
Network-Interfaces: eth0---(used for DHCP--leasing for Subnet-A and Subnet-B) eth1---(for NATing..SNAT...DNAT..Masqurading..etc)
---
Subnets--(LAN-1) Subnet-A1---10.10.64.0/18 Subnet-B2---10.10.128.0/18
----
Subnets---(LAN-2) Subnet-A11---172.26.64.0/18 Subnet-B22---172.26.128.0/18 Query (?) (1)
I want to deny Subnet-A to access Subnet-B (both subnets denied to access each other)? (2)
to REDIRECT subnet-A1 (10.10.64.0/18) to another subnet-A11 (172.26.64.0/18) and as well redirect subnet-B2 to subnet-B22(10.10.128.0/18--->172.26.128.0/18)? (3)
Deny all others. (to be more secure) Caution!
I'm new to iptables, so please show few examples. What approach should be use..iptables..NATing..SNAT...DNAT..Masqurading...etc...What's most efficent solution, when Security, Reliability and high availablity is concerned.?
Thank you for your time.
Destination Gateway Genmask Flags Metric Ref Use Iface
172.26.128.0 0.0.0.0 255.255.192.0 U 0 0 0 eth1
10.10.128.0 0.0.0.0 255.255.192.0 U 0 0 0 eth1
10.10.64.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0
172.26.64.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0
Did you leave one line out of the output? Or does this box not have a gateway?
If what you want is to deny access between each of these two LANs, simply disable forwarding. If what you want is to deny traffic between two subnets on the same physical network (172.26.128.0 and 10.10.128.0, for example), then keep in mind that there's nothing other than non-root privileges to stop those hosts from contacting the other subnets directly, without the need to go through this box. You mentioned that you were concerned about security, so I want to make sure you're aware of this fact.
Did you leave one line out of the output? Or does this box not have a gateway?
No, I haven't leave out any line, it's complete output, yes this box not have a gateway.
Quote:
to deny access between each of these two LANs, simply disable forwarding.
ok, now I have Disabled the ip forwarding.
Quote:
to deny traffic between two subnets on the same physical network (172.26.128.0 and 10.10.128.0, for example), then keep in mind that there's nothing other than non-root privileges to stop those hosts from contacting the other subnets directly, without the need to go through this box.
well its clear that subnets will not able to communicate "cross-subnets" (A--to--B or B--to--A etc).
Please also give example howto REDIRECT or Translate these subnets into different subnets: (A) 10.10.64.0---->> into---->> 172.26.64.0 (B) 10.10.128.0---->> into---->> 172.26.128.0
so that users of Subnet 10.10.64.0 can use/share resources of 172.26.64.0?
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -s 10.10.64.0/18 -d 172.26.64.0/18 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o eth1 -s 10.10.128.0/18 -d 172.26.128.0/18 -m state --state NEW -j ACCEPT
Of course, you'll need to re-enable forwarding.
BTW, I'm moving this to Networking so that it may gain better exposure. I'm kind of hoping that some of the LQ members who frequent that forum will chime in here and provide feedback as to whether or not doing this with iptables is a good idea (and/or to suggest a much better approach, which I suspect exists).
Last edited by win32sux; 01-20-2010 at 11:04 AM.
Reason: I had accidentally left out the prefix lengths.
Dear win32sux;
Thank you very much for your kind help and examples of iptables. I am currently testing your solution, and it's working. Also I'm doing some experimenting to change few parameters.
Sure I'll add more to this thread later on and thanx for moving it to appropriate forum.
Quote:
hoping that some of the LQ members who frequent that forum will chime in here and provide feedback as to whether or not doing this with iptables is a good idea (and/or to suggest a much better approach, which I suspect exists).
Dear win32sux;
Thank you very much for your kind help and examples of iptables. I am currently testing your solution, and it's working. Also I'm doing some experimenting to change few parameters.
Sure I'll add more to this thread later on and thanx for moving it to appropriate forum.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.