[TriLUG] IPTABLES rule help
bp
bp at itchy.kicks-ass.org
Mon Jul 14 13:56:41 EDT 2003
On Mon, 14 Jul 2003 rasch at raschnet.com wrote:
> On Mon, Jul 14, 2003 at 01:07:51PM -0400, bp wrote:
> > Goal.
> > Allow anything from 10.17.23. , 10.17.24 (both /25 subnets) and 10.32.8.
> > (a /23 subnet.)
> >
> > Deny everything inbound from outside of those 3 subnets except for SSH and
> > pings.
> >
> > I'd still like to be able to fwd X and anything outgoing to anywhere.
> >
> > Any pro's have a 3 or 4 line ruleset for that order?
>
> What's the topology here? Do you have two nic's: one to "everything
> else"/internet and one to one of these 10 networks, and a router to the
> others? The best way to do this is to ensure that the incoming packets
> came into the router on an appropriate interface, then check that the
> forwarding is valid.
>
> I don't write my own firewall rules anymore, I use Shorewall, and have
> yet to find something it cannot do. To achieve this goal in shorewall,
> you would add each of these 10 nets to your "loc" zone and then in
> your policy file specify that "loc" to "loc" should be unconditionally
> ACCEPTed. Then, specify "net" to "loc" to be REJECTed. You can then
> use the "rules" file to specify exceptions if you so desire.
>
> Otherwise, you can do the following:
>
> make sure forwarding is on
>
> # echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # iptables -P forward REJECT
> here's where Shorewall saves you a ton of work. To do this, you have to
> enter each permutation of possible source/dest pairs. I'll just show
> one. You can also specify an incoming interface requirement with "-i
> eth0" (change for appropriate interface). This will avoid someone
> spoofing a packet into your LAN. You have 3 nets, and 3 pairs of nets
> (3 C 2 = 3) so you should have 3*2=6 rules for forwarding.
>
> # iptables -A forward -s 10.17.23.0/25 -d 10.17.24.0/25
>
> Good luck,
> David
>
This isn't a firewall machine but rather just a plain lab box. Single
nic. Figured on something more like:
Deny ALL
allow ping from *
allow ssh from *
allow * from x, y, z subnets
Any rules that simple for what I want? -bp
More information about the TriLUG
mailing list