LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables: deny connections from dmz to lan (https://www.linuxquestions.org/questions/linux-security-4/iptables-deny-connections-from-dmz-to-lan-589093/)

t0bias 10-03-2007 07:32 AM
iptables: deny connections from dmz to lan
 
hi there,

i need to drop any packages from the dmz to lan, so i tried
iptables -A INPUT -s 172.16.1.0/24 -d 10.0.10.0/24 -j DROP
as well as
iptables -A FORWARD -s 172.16.1.0/24 -d 10.0.10.0/24 -j DROP
but i can still connect.
what did i do wrong?

thanks,

toby

win32sux 10-03-2007 07:46 AM
You really should do this by specifying the interfaces instead of the networks IMHO.

Assuming your DMZ is on eth2 and your LAN is on eth1, it would go like:
Code:
iptables -I FORWARD -i eth2 -o eth1 -j DROP
But you should really try to make these type of rules non-necessary in the first place. To do that, you set your policy to DROP and then make exceptions by adding ACCEPT rules. Since you wouldn't have an ACCEPT rule for DMZ to LAN traffic, it would be firewalled by default. It's just a suggestion.

t0bias 10-03-2007 07:51 AM
well i cannot connect via ssh to the hosts in the dmz from the lan anymore then..?

win32sux 10-03-2007 07:56 AM
Quote:
Originally Posted by t0bias (Post 2911682)
well i cannot connect via ssh to the hosts in the dmz from the lan anymore then..?
Sure, just have a rule for RELATED,ESTABLISHED packets fall on top. Like:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -m state --state NEW -j DROP
So now connections can be started from eth1 to eth2 but not vice-versa.

Once again, you really should try to make these DROP rules non-necessary if possible.


All times are GMT -5. The time now is 07:10 AM.