I have a ubuntu server running as a router between two subnets, 10.10.16.0/24 and 10.10.20.0/24. My goal is to control which traffic crosses subnets using UFW and isolate hosts on the 10.10.16.0 subnet similar to a DMZ. Here's a rough diagram of my set up, I have 3 hosts I'm working with, 1 in the 16.0 subnet and 2 in the 20.0 subnet with my gateways .254 respectively on the router for both subnets:
Code:
ROUTER
--------------------
(16.10) --> | 16.254 || 20.254 | <-- (20.11)
| eth0 || eth1 | X-- (20.100)
--------------------
My specific goal is to allow ssh from 16.10 to 20.11 and vice versa (both Linux) but deny ssh from 20.100 (Windows 8.1) to 16.10. Here are my UFW rules:
Code:
To Action From
-- ------ ----
10.10.20.254 22/tcp ALLOW 10.10.20.100
10.10.16.10 22/tcp ALLOW 10.10.20.11
10.10.20.11 22/tcp ALLOW 10.10.16.10
10.10.16.0/24 DENY 10.10.20.0/24
10.10.20.0/24 DENY 10.10.16.0/243
I also have enabled IP forwarding in the sysctl.conf file already and added a *nat section to my before.rules:
Code:
#NAT Rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.16.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.20.0/24 -o eth1 -j MASQUERADE
COMMIT
With IP Masquerading for both subnets configured, I can ssh between all hosts successfully include 20.100 to 16.10, which is not what I want. In this case, UFW doesn't seem to make any difference. This is probably not the right way to do it but its the only way I've found to get it to route between the subnets. I checked the UFW log and it doesn't show where it is allowing the ssh traffic through but it shows where its blocking other passive traffic from 20.100 (something on port 5351??). I have no idea why UFW handling the traffic destined between the subnets.
I'm not an expert when it comes to routing and networking and I'm still learning Linux. I feel I'm missing something basic here so any help is greatly appreciated.