We recently modified our network infrstrucutre here at work and I'm working on rebuilding our iptables firewalls to account for the new infrastructure. Because we now have several networks going through one router, I now have traffic from networks I trust and networks I don't trust, and I'd like to filter them differently. So here is what I did:
Code:
IPTABLES=`which iptables`
$IPTABLES -N TRUSTED_IN
$IPTABLES -A TRUSTED_IN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -N UNTRUSTED_IN
$IPTABLES -A UNTRUSTED_IN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s <trusted network 1> -j TRUSTED_IN
$IPTABLES -A INPUT -s <trusted network 2> -j TRUSTED_IN
$IPTABLES -A INPUT -j UNTRUSTED_IN
$IPTABLES -N TRUSTED_OUT
$IPTABLES -A TRUSTED_OUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -N UNTRUSTED_OUT
$IPTABLES -A UNTRUSTED_OUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -d <trusted network 1> -j TRUSTED_OUT
$IPTABLES -A OUTPUT -d <trusted network 2> -j TRUSTED_OUT
$IPTABLES -A OUTPUT -j UNTRUSTED_OUT
I then proceeded to add rules to the TRUSTED_IN, TRUSTED_OUT, UNTRUSTED_IN and UNTRUSTED_OUT chains. At the end of the script, I do the following:
Code:
# Log whats left if desired.
$IPTABLES -A TRUSTED_IN -j LOG --log-prefix="TRUSTED IN: "
$IPTABLES -A TRUSTED_OUT -j LOG --log-prefix="TRUSTED OUT: "
$IPTABLES -A UNTRUSTED_IN -j LOG --log-prefix="UNTRUSTED IN: "
$IPTABLES -A UNTRUSTED_OUT -j LOG --log-prefix="UNTRUSTED OUT: "
# Drop whats left
#$IPTABLES -A TRUSTED_IN -j DROP
#$IPTABLES -A TRUSTED_OUT -j DROP
$IPTABLES -A UNTRUSTED_IN -j DROP
$IPTABLES -A UNTRUSTED_OUT -j DROP
The problem I'm having is that, according to the logs, the server sees all traffic as both trusted and untrusted. What do I need to put at the end of the chains to make iptables stop processing rules? Or do I need to rethink how I'm doing this?
