LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-16-2007, 01:07 PM   #1
dablew
Member
 
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43

Rep: Reputation: 15
Firewall


Hi everyone,


I have FC6 Linux acting as my router with 3 NIC cards :
eth0 - WAN , eth1 - LAN1 & eth2 - LAN2 .
eth1 & eth2 have different private IP blocks.I want all users on LAN1 to be able to access machines on LAN2 while all LAN2 users except one IP to be denied access to LAN 1.
In short:
LAN1(192.168.70.0/24) to LAN2(192.168.75.0/24) - allow
LAN2(192.168.75.0/24) to LAN1(192.168.70.0/24) - deny (Only one IP)LAN2(192.168.75.2) to LAN1 - allow

It sounded quite easy when thinking about it but failed
during implementation.

Here are my iptables rules I used:

iptables -A INPUT -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT


iptables -A INPUT -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A FORWARD -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A OUTPUT -o eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT

iptables -A INPUT -i eth2 -s 192.168.75.2/24 -d 192.168.70.0/24 -j ACCEPT

I don,t know what am doing wrong for after running this from my firewall script, both LAN1 & LAN2 stop communicating to each other from either ends.
My firewall script does not have any default option to drop.

Can anyone please assist me with how to set this up.
 
Old 06-16-2007, 01:37 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
OK, a few things here. firstly when you're looking at a routing firewall, you're only concerned with the FORWARD table. INPUT and OUTPUT only relate to the traffic to or from the firewall machien itself, which you'd handle as a seperate concern. also iptables is order critical. you need to deal with exceptions *BEFORE* the masses, i.e. enable the single exception before denying the entire netowkr... and btw you have 192.168.75.2/24 there, which is nonsense... you just mean 192.168.75.2 i assume.

in general i'd say your rules are too specific really. you want to do only a few things

1) permit 192.168.75.2 to go anywhere
2) reject anything on eth2 access to 192.168.70.0/24

and that's actually it, no. when it's an implicit permit for other things like internet.

iptables -A FORWARD -i eth2 -s 192.168.75.2 -j ACCEPT
iptables -S FORWARD -i eth2 -d 192.168.70.0/24 -j REJECT
 
Old 06-16-2007, 10:56 PM   #3
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
in general i'd say your rules are too specific really. you want to do only a few things

1) permit 192.168.75.2 to go anywhere
2) reject anything on eth2 access to 192.168.70.0/24
To add to that, don't forget to allow return traffic to be forwarded back to eth1. So near the top of the eth2 rules, goes something like this:
Code:
iptables -A FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 06-16-2007, 11:22 PM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
Quote:
Originally Posted by dablew
Hi everyone,


I have FC6 Linux acting as my router with 3 NIC cards :
eth0 - WAN , eth1 - LAN1 & eth2 - LAN2 .
eth1 & eth2 have different private IP blocks.I want all users on LAN1 to be able to access machines on LAN2 while all LAN2 users except one IP to be denied access to LAN 1.
In short:
LAN1(192.168.70.0/24) to LAN2(192.168.75.0/24) - allow
LAN2(192.168.75.0/24) to LAN1(192.168.70.0/24) - deny (Only one IP)LAN2(192.168.75.2) to LAN1 - allow

It sounded quite easy when thinking about it but failed
during implementation.

Here are my iptables rules I used:

iptables -A INPUT -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 192.168.70.0/24 -d 192.168.75.0/24 -j ACCEPT


iptables -A INPUT -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A FORWARD -i eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT
iptables -A OUTPUT -o eth2 -s 192.168.75.0/24 -d 192.168.70.0/24 -j REJECT

iptables -A INPUT -i eth2 -s 192.168.75.2/24 -d 192.168.70.0/24 -j ACCEPT


I don,t know what am doing wrong for after running this from my firewall script, both LAN1 & LAN2 stop communicating to each other from either ends.
My firewall script does not have any default option to drop.

Can anyone please assist me with how to set this up.
FYI,

difference between DROP and REJECT is :
DROP will be dropping traffic without doing any further action,
REJECT will drop traffic after it does an action (such as tcp-reset, icmp-prohibited and so on...)

the problem is REJECT will make your FW busy if you have a large amount of traffic to be deny.

bold part : the problem in your config is that you allow LAN1 request to LAN2 - but deny LAN2 reply to LAN1 -- you have to be more specific of what kind of request and reply to be allow to communicate.
 
Old 06-17-2007, 05:11 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Quote:
Originally Posted by Berhanie
To add to that, don't forget to allow return traffic to be forwarded back to eth1. So near the top of the eth2 rules, goes something like this:
Code:
iptables -A FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
yeah, bad one from me there... to be honest i've *very* little exposure to iptables, never sure where conntrack actually comes into play. this syntax is somewhat ill at odds to other firewalls i'm more used to (e.g. Cisco IOS) where stateful inspection is implicit, and the equivalent of using these state values would be direct stateless inspection of tcp flags, which is pretty horrible compared to genuine statefulness, i.e. any packet other than a SYN or RST is presumed to be part of an existing connection, so permitted.
 
Old 06-18-2007, 11:05 AM   #6
dablew
Member
 
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43

Original Poster
Rep: Reputation: 15
U've been of great help guyz.It finally worked.

These rules did the trick:

iptables -A FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -s 192.168.75.2 -j ACCEPT
iptables -A FORWARD -i eth2 -d 192.168.70.0/24 -j DROP

Thanks much

Quote:
and btw you have 192.168.75.2/24 there, which is nonsense... you just mean 192.168.75.2 i assume.
This was a typing mistake acid_kewpie,I meant 192.168.75.2 .Thanks however for identifying.
 
  


Reply

Tags
firewall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
router billion 5102 has firewall and software firewall tests aus9 Linux - Security 6 12-31-2006 11:09 PM
using a router with firewall, local firewall waste? Michael_aust Linux - General 1 03-26-2006 09:02 AM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration