LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   UFW and subnet routing (https://www.linuxquestions.org/questions/linux-networking-3/ufw-and-subnet-routing-4175551107/)

raeif 08-18-2015 10:38 PM
UFW and subnet routing
 
I have a ubuntu server running as a router between two subnets, 10.10.16.0/24 and 10.10.20.0/24. My goal is to control which traffic crosses subnets using UFW and isolate hosts on the 10.10.16.0 subnet similar to a DMZ. Here's a rough diagram of my set up, I have 3 hosts I'm working with, 1 in the 16.0 subnet and 2 in the 20.0 subnet with my gateways .254 respectively on the router for both subnets:

Code:
                    ROUTER
              --------------------   
(16.10) -->  | 16.254 || 20.254 |    <-- (20.11)
              |  eth0  ||  eth1  |    X-- (20.100)
              --------------------
My specific goal is to allow ssh from 16.10 to 20.11 and vice versa (both Linux) but deny ssh from 20.100 (Windows 8.1) to 16.10. Here are my UFW rules:
Code:
To                        Action      From
--                        ------      ----
10.10.20.254 22/tcp        ALLOW      10.10.20.100
10.10.16.10 22/tcp        ALLOW      10.10.20.11
10.10.20.11 22/tcp        ALLOW      10.10.16.10
10.10.16.0/24              DENY        10.10.20.0/24
10.10.20.0/24              DENY        10.10.16.0/243
I also have enabled IP forwarding in the sysctl.conf file already and added a *nat section to my before.rules:

Code:
#NAT Rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.16.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.20.0/24 -o eth1 -j MASQUERADE
COMMIT
With IP Masquerading for both subnets configured, I can ssh between all hosts successfully include 20.100 to 16.10, which is not what I want. In this case, UFW doesn't seem to make any difference. This is probably not the right way to do it but its the only way I've found to get it to route between the subnets. I checked the UFW log and it doesn't show where it is allowing the ssh traffic through but it shows where its blocking other passive traffic from 20.100 (something on port 5351??). I have no idea why UFW handling the traffic destined between the subnets.

I'm not an expert when it comes to routing and networking and I'm still learning Linux. I feel I'm missing something basic here so any help is greatly appreciated.

nini09 08-20-2015 02:46 PM
Do you know deny rule like 10.10.16.0/24 DENY 10.10.20.0/24 is working? Is deny rule like 10.10.16.10 DENY 10.10.20.100 working?

raeif 08-22-2015 12:50 PM
Didn't seem to make a difference. Added the following rule:
Code:
ufw deny from 10.10.20.100 to 10.10.16.10
Was still able to ssh and UFW log didn't show anything. I'm looking into other options also: should I use configure iptables rules directly rather than using UFW? Is UFW intended to manage forwarded traffic as well as traffic destined for and originating from the source machine? For that matter, should they be deny out rules rather than deny in rules or does it make a difference?

nini09 08-24-2015 02:25 PM
It look like UFW didn't work. You need make sure UFW work in the system.
Yes, iptable is another option.


All times are GMT -5. The time now is 10:03 PM.