Search This Blog

Monday, August 23, 2010

Re: Blocked route LAN to LAN

Hi Makara

That would be correct
iptables -I FORWARD -i eth1 -o eth1 -j DROP
would stop routing packets between your two networks assuming eth1 is
plugged into your switch and eth0 is not

however as pascal mentioned this relies on at least 1 of the hosts not
having a route back to the machine trying to contact it, but even if it
can't respond to requests it is still open to potential attacks from the
hosts that can still send the requests


with your eth0 -> eth1 firewall rules you want to ensure that you allow
outbound but restrict inbound connections, and usually you would do
this by setting a default DROP policy on the FORWARD chain followed by
rules to allow eth1 -> internet, and statefull rules to allow internet
-> eth1
like (and this is just an example)
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

you would also want to put rules to block packets on the INPUT chain
too to protect unwanted connections comming from the internet
connecting direclty to your router

On Mon, 23 Aug 2010 09:10:48 +0700
Makara <chanmakara@gmail.com> wrote:

> Hi List,
>
> Thank for your help specially Pascal, thank for you detail and
> meaningful description.
>
> I hope I can get it done soon.
>
> I'm not so clear or maybe you get confused about that, if possible
> please reply because I can not test the script right now
>
> Your advise
>
> iptables -I FORWARD -i eth0 -o eth0 -j DROP
>
> eth0 ,<<< WAN
> eth1 <<< is LAN
>
> I think you are talking about
>
> iptables -I FORWARD -i eth1 -o eth1 -j DROP
>
>
> Please help?
>
>
> On Sat, Aug 21, 2010 at 7:33 PM, Pascal Hambourg <
> pascal.mail@plouf.fr.eu.org> wrote:
>
> > Hello,
> >
> > Makara a écrit :
> > >
> > > Here is my network diagram
> > >
> > >
> > > / LAN1 [10.101.189.0/24 <http://10.101.189.0/24>]
> > > internet---------------[eth0]--------------{Linux}-----------------[eth1]
> > >
> > > \LAN2 [192.168.0/24]
> > >
> > > My iptables script
> > >
> > > # EDIT This line only
> > >
> > > IP_WAN=x.x.x.x
> > >
> > > # DO NOT EDIT
> > >
> > > echo "1" > /proc/sys/net/ipv4/ip_forward
> > >
> > > modprobe ip_conntrack
> >
> > Unnecessary, should be automatically loaded by ip_conntrack_ftp
> >
> > > modprobe ip_nat_ftp
> > > modprobe ip_conntrack_ftp
> >
> > Unnecessary, should be automatically loaded by ip_nat_ftp
> >
> > > # Flush all rules
> > >
> > > iptables -F INPUT
> > > iptables -F FORWARD
> > > iptables -F OUTPUT
> > > iptables -F -t nat
> > > iptables -F -t mangle
> > >
> > > # Default Policies
> > >
> > > iptables -P INPUT ACCEPT
> > > iptables -P FORWARD ACCEPT
> > > iptables -P OUTPUT ACCEPT
> > >
> > > # Allow UDP, DNS and Passive FTP
> > > iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j
> > > ACCEPT iptables -A FORWARD -m state --state
> > > NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state
> > > --state NEW,RELATED,ESTABLISHED -j ACCEPT
> >
> > All 3 rules are useless, as the default policies are already ACCEPT
> > and there are no DROP nor REJECT rules. Also, the comment is
> > misleading : they accept much more than just UDP, DNS and passive
> > FTP. They actually accept almost anything.
> >
> > > # garena game
> > > iptables -t nat -A PREROUTING -p udp -i eth0 -d 0/0 --dport
> > > 1511:1611
> >
> > This rule has no target (-j <target>) and therefore no action.
> >
> > > # Transparent Proxy if it's network game
> > > iptables -A PREROUTING -t nat -i eth1 -s 10.101.189.0/24
> > > 10.101.189.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
> > >
> > >
> > > # NAT
> > > iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source $IP_WAN
> > >
> > >
> > > Both LAN1 n LAN2 can access internet it's good but they can
> > > access to each other.
> > >
> > > Please kindly help, I don't want LAN1 connect to LAN2 or LAN2
> > > connect to LAN1.
> >
> > If both subnets share the same ethernet network (e.g. use the same
> > switches without any separate VLANs), then they can communicate
> > directly over this ethernet network, skipping the Linux router. If
> > some hosts do not have a direct route to the other subnet they will
> > use the router to reach hosts in the other subnet and then you can
> > insert iptables rules to DROP traffic in the FORWARD chain :
> >
> > iptables -I FORWARD -i eth0 -o eth0 -j DROP
> >
> > But be warned that it will have no effect on hosts which have a
> > direct route to the other subnet.
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> > Archive: http://lists.debian.org/4C6FC791.4070903@plouf.fr.eu.org
> >
> >
>
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20100823170746.5a4c48e7@optix.qk.com.au

No comments: