[TriLUG] IPTABLES rule help

rasch at raschnet.com rasch at raschnet.com
Mon Jul 14 13:23:23 EDT 2003


On Mon, Jul 14, 2003 at 01:07:51PM -0400, bp wrote:
> Goal.
> Allow anything from 10.17.23. , 10.17.24 (both /25 subnets) and 10.32.8. 
> (a /23 subnet.)
> 
> Deny everything inbound from outside of those 3 subnets except for SSH and 
> pings.
> 
> I'd still like to be able to fwd X and anything outgoing to anywhere.
> 
> Any pro's have a 3 or 4 line ruleset for that order?

What's the topology here?  Do you have two nic's: one to "everything
else"/internet and one to one of these 10 networks, and a router to the
others?  The best way to do this is to ensure that the incoming packets
came into the router on an appropriate interface, then check that the
forwarding is valid.  

I don't write my own firewall rules anymore, I use Shorewall, and have
yet to find something it cannot do.  To achieve this goal in shorewall,
you would add each of these 10 nets to your "loc" zone and then in
your policy file specify that "loc" to "loc" should be unconditionally
ACCEPTed.  Then, specify "net" to "loc" to be REJECTed.  You can then
use the "rules" file to specify exceptions if you so desire.

Otherwise, you can do the following:

make sure forwarding is on

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -P forward REJECT
here's where Shorewall saves you a ton of work.  To do this, you have to
enter each permutation of possible source/dest pairs. I'll just show
one.  You can also specify an incoming interface requirement with "-i
eth0" (change for appropriate interface). This will avoid someone
spoofing a packet into your LAN.  You have 3 nets, and 3 pairs of nets
(3 C 2 = 3) so you should have 3*2=6 rules for forwarding.

# iptables -A forward -s 10.17.23.0/25 -d 10.17.24.0/25

Good luck,
David



More information about the TriLUG mailing list