iptables: deny connections from dmz to lan
hi there,
i need to drop any packages from the dmz to lan, so i tried iptables -A INPUT -s 172.16.1.0/24 -d 10.0.10.0/24 -j DROP as well as iptables -A FORWARD -s 172.16.1.0/24 -d 10.0.10.0/24 -j DROP but i can still connect. what did i do wrong? thanks, toby |
You really should do this by specifying the interfaces instead of the networks IMHO.
Assuming your DMZ is on eth2 and your LAN is on eth1, it would go like: Code:
iptables -I FORWARD -i eth2 -o eth1 -j DROP |
well i cannot connect via ssh to the hosts in the dmz from the lan anymore then..?
|
Quote:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT Once again, you really should try to make these DROP rules non-necessary if possible. |
All times are GMT -5. The time now is 07:10 AM. |