Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-16-2007, 01:07 PM
|
#1
|
Member
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43
Rep:
|
Firewall
Hi everyone,
I have FC6 Linux acting as my router with 3 NIC cards :
eth0 - WAN , eth1 - LAN1 & eth2 - LAN2 .
eth1 & eth2 have different private IP blocks.I want all users on LAN1 to be able to access machines on LAN2 while all LAN2 users except one IP to be denied access to LAN 1.
In short:
LAN1(192.168.70.0/24) to LAN2(192.168.75.0/24) - allow
LAN2(192.168.75.0/24) to LAN1(192.168.70.0/24) - deny (Only one IP)LAN2(192.168.75.2) to LAN1 - allow
It sounded quite easy when thinking about it but failed
during implementation.
Here are my iptables rules I used:
iptables -A INPUT -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A INPUT -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A FORWARD -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A OUTPUT -o eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A INPUT -i eth2 -s 192.168.75.2/24 -d 192.168.70.0/24 -j ACCEPT
I don,t know what am doing wrong for after running this from my firewall script, both LAN1 & LAN2 stop communicating to each other from either ends.
My firewall script does not have any default option to drop.
Can anyone please assist me with how to set this up.
|
|
|
06-16-2007, 01:37 PM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
OK, a few things here. firstly when you're looking at a routing firewall, you're only concerned with the FORWARD table. INPUT and OUTPUT only relate to the traffic to or from the firewall machien itself, which you'd handle as a seperate concern. also iptables is order critical. you need to deal with exceptions *BEFORE* the masses, i.e. enable the single exception before denying the entire netowkr... and btw you have 192.168.75.2/24 there, which is nonsense... you just mean 192.168.75.2 i assume.
in general i'd say your rules are too specific really. you want to do only a few things
1) permit 192.168.75.2 to go anywhere
2) reject anything on eth2 access to 192.168.70.0/24
and that's actually it, no. when it's an implicit permit for other things like internet.
iptables -A FORWARD -i eth2 -s 192.168.75.2 -j ACCEPT
iptables -S FORWARD -i eth2 -d 192.168.70.0/24 -j REJECT
|
|
|
06-16-2007, 10:56 PM
|
#3
|
Senior Member
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625
Rep:
|
Quote:
in general i'd say your rules are too specific really. you want to do only a few things
1) permit 192.168.75.2 to go anywhere
2) reject anything on eth2 access to 192.168.70.0/24
|
To add to that, don't forget to allow return traffic to be forwarded back to eth1. So near the top of the eth2 rules, goes something like this:
Code:
iptables -A FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
06-16-2007, 11:22 PM
|
#4
|
Member
Registered: Jun 2007
Posts: 359
Rep:
|
Quote:
Originally Posted by dablew
Hi everyone,
I have FC6 Linux acting as my router with 3 NIC cards :
eth0 - WAN , eth1 - LAN1 & eth2 - LAN2 .
eth1 & eth2 have different private IP blocks.I want all users on LAN1 to be able to access machines on LAN2 while all LAN2 users except one IP to be denied access to LAN 1.
In short:
LAN1(192.168.70.0/24) to LAN2(192.168.75.0/24) - allow
LAN2(192.168.75.0/24) to LAN1(192.168.70.0/24) - deny (Only one IP)LAN2(192.168.75.2) to LAN1 - allow
It sounded quite easy when thinking about it but failed
during implementation.
Here are my iptables rules I used:
iptables -A INPUT -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A INPUT -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A FORWARD -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A OUTPUT -o eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A INPUT -i eth2 -s 192.168.75.2/24 -d 192.168.70.0/24 -j ACCEPT
I don,t know what am doing wrong for after running this from my firewall script, both LAN1 & LAN2 stop communicating to each other from either ends.
My firewall script does not have any default option to drop.
Can anyone please assist me with how to set this up.
|
FYI,
difference between DROP and REJECT is :
DROP will be dropping traffic without doing any further action,
REJECT will drop traffic after it does an action (such as tcp-reset, icmp-prohibited and so on...)
the problem is REJECT will make your FW busy if you have a large amount of traffic to be deny.
bold part : the problem in your config is that you allow LAN1 request to LAN2 - but deny LAN2 reply to LAN1 -- you have to be more specific of what kind of request and reply to be allow to communicate.
|
|
|
06-17-2007, 05:11 AM
|
#5
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Quote:
Originally Posted by Berhanie
To add to that, don't forget to allow return traffic to be forwarded back to eth1. So near the top of the eth2 rules, goes something like this:
Code:
iptables -A FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
yeah, bad one from me there... to be honest i've *very* little exposure to iptables, never sure where conntrack actually comes into play. this syntax is somewhat ill at odds to other firewalls i'm more used to (e.g. Cisco IOS) where stateful inspection is implicit, and the equivalent of using these state values would be direct stateless inspection of tcp flags, which is pretty horrible compared to genuine statefulness, i.e. any packet other than a SYN or RST is presumed to be part of an existing connection, so permitted.
|
|
|
06-18-2007, 11:05 AM
|
#6
|
Member
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43
Original Poster
Rep:
|
U've been of great help guyz.It finally worked.
These rules did the trick:
iptables -A FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -s 192.168.75.2 -j ACCEPT
iptables -A FORWARD -i eth2 -d 192.168.70.0/24 -j DROP
Thanks much
Quote:
and btw you have 192.168.75.2/24 there, which is nonsense... you just mean 192.168.75.2 i assume.
|
This was a typing mistake acid_kewpie,I meant 192.168.75.2 .Thanks however for identifying.
|
|
|
All times are GMT -5. The time now is 10:53 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|