Thank for your help specially Pascal, thank for you detail and meaningful description.
I hope I can get it done soon.
I'm not so clear or maybe you get confused about that, if possible please reply because I can not test the script right now
Your advise
iptables -I FORWARD -i eth0 -o eth0 -j DROP
eth0 ,<<< WAN
eth1 <<< is LAN
I think you are talking about
iptables -I FORWARD -i eth1 -o eth1 -j DROP
Please help?
On Sat, Aug 21, 2010 at 7:33 PM, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
Hello,
Makara a écrit :
>> / LAN1 [10.101.189.0/24 <http://10.101.189.0/24>]
> Here is my network diagram
>
>
> internet---------------[eth0]--------------{Linux}-----------------[eth1]Unnecessary, should be automatically loaded by ip_conntrack_ftp
>
> \LAN2 [192.168.0/24]
>
> My iptables script
>
> # EDIT This line only
>
> IP_WAN=x.x.x.x
>
> # DO NOT EDIT
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> modprobe ip_conntrack
Unnecessary, should be automatically loaded by ip_nat_ftp
> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
All 3 rules are useless, as the default policies are already ACCEPT and
> # Flush all rules
>
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> iptables -F -t nat
> iptables -F -t mangle
>
> # Default Policies
>
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> # Allow UDP, DNS and Passive FTP
> iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
there are no DROP nor REJECT rules. Also, the comment is misleading :
they accept much more than just UDP, DNS and passive FTP. They actually
accept almost anything.
This rule has no target (-j <target>) and therefore no action.
> # garena game
> iptables -t nat -A PREROUTING -p udp -i eth0 -d 0/0 --dport 1511:1611
If both subnets share the same ethernet network (e.g. use the same
> # Transparent Proxy if it's network game
> iptables -A PREROUTING -t nat -i eth1 -s 10.101.189.0/24
> 10.101.189.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
>
>
> # NAT
> iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source $IP_WAN
>
>
> Both LAN1 n LAN2 can access internet it's good but they can access to
> each other.
>
> Please kindly help, I don't want LAN1 connect to LAN2 or LAN2 connect to
> LAN1.
switches without any separate VLANs), then they can communicate directly
over this ethernet network, skipping the Linux router. If some hosts do
not have a direct route to the other subnet they will use the router to
reach hosts in the other subnet and then you can insert iptables rules
to DROP traffic in the FORWARD chain :
iptables -I FORWARD -i eth0 -o eth0 -j DROP
But be warned that it will have no effect on hosts which have a direct
route to the other subnet.
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/4C6FC791.4070903@plouf.fr.eu.org
--
The person who loves others will also be loved.
No comments:
Post a Comment