hai to all

I am learning( newbie ) to setup firewall in my home for that i have selected four system(sys1,sys2....sys4) for testing .I have
configured sys2 to act as a firewall with two NIC. sys3 and sys4 are inside the firewall . sys1 is not connected to firewall for
testing purpose.



the IP assignments are follows :

sys1 : ( fedora, not connected to firewall i am thinking, But i am not sure )

IP : 192.168.2.1 ,
gateway : blank
dns1 : blank
dns2 : blank

..................................

sys2 firewall ,IPTABLES )

eth0 192.168.2.2 ( private IP for local lan )
eth1 192.168.0.2 ( public IP form ISP --just for example )

gateway :192.168.0.1

dns1:202.56.230.5
dns2:202.56.230.6

..................................

sys 3: ( fedora, connected to firewall i am thinking, But i am not sure )

IP : 192.168.2.3 ,

gateway : 192.168.2.2 ( sys2 eth0)

dns1 : blank
dns2 : blank

...................................

sys 4 : ( fedora, connected to firewall i am thinking, But i am not sure )

IP : 192.168.2.4 ,

gateway : 192.168.2.2 ( sys2 eth0)


dns1 : blank
dns2 : blank

ssh service runs in this box

...................................

then my iptables rules are as followes

iptables -F (to flush all the existing rules, then i saved and restarted iptables )


INPUT chain :

iptables -A INPUT -s 192.168.2.1 -d 192.168.2.4 -p TCP --dport 22 -j REJECT ( to block the ssh request to sys4 )



OUTPUT chain :

iptables -A INPUT -s 0/0 -d 192.168.2.4 -p ALL -j REJECT ( to block all the trusted and untrusted ports )

FORWARD chain :

blank

these are my exact rules, and not any other than these

every thing is saved and restarted
....................................

what happened is that sys1(not connected to firewall) can ssh to sys4(connected,inside firewall),since the rules are written
not to ssh form sys1 to sys4..


then I came to know whatever the request I give, It directly goes as sys1 --> sys4. Not as sys1-----> sys2(firewall)---> sys4 .and the
firewall is not filtering and processing anything for both inbound and outbound (i think it's my mistake some where). the requests are directly going inside without firewall..


please suggest me an idea for the firewall to process the request first, I don't know where i am making mistake ...


thanks in advance ..

This depends on how you have your systems connected in the network. The information you give is a bit confusing since sys1 is located inside the same network as sys4. For the firewall to be effective it needs to sit between sys1 and sys4. If sys1 was sitting ouside the firewall it would need an address given to it by the router. Like say I have a router at 10.0.0.1 in my internal network and i have another computer acting as a router at 10.0.0.3 named comroute 1 and another computer com1 sitting at 10.0.0.2. The internal network i have setup past comroute1 is using 192.168.0.* addressing. Comroute1 would have 2 network interfaces one for the outer network and one for the inner network. com1 should not be connected physically to the network for comroute1's internal one.

The only traffic that the firewall on comroute1 can filter is connections comming from the outer netowork into the inner network no traffic inside the network or in this example 192.168.0.* can be filtered this way. You would for that type of thing create a firewall on the internal system you do not want internal traffic connecting too.

So using our example we want to prevent com1 from connecting to com4. Com4 is sitting behind the firewall.

com1 address is 10.0.0.2 and com4 address is 192.168.0.2

the way you would write a rule on comroute1 would be like this

iptables -A INPUT -d 192.168.0.2 --dport ssh -j REJECT

This however is not what I normally do on my firewalls. I drop everything and only allow good traffic in and everything out. There are many good sources of information regarding iptables. Here is one https://help.ubuntu.com/community/IptablesHowTo

Also remember that any packets destined for another system rather then the system running iptables will be forwarded to that system if you are using NAT

Here's another good tutorial on IPtables firewall: http://www.aboutdebian.com/firewall.htm

now i understand , thaks for your quick response