Hello, Makara a écrit : > > Here is my network diagram > > > / LAN1 [10.101.189.0/24 <http://10.101.189.0/24>] > internet---------------[eth0]--------------{Linux}-----------------[eth1] > > \LAN2 [192.168.0/24] > > My iptables script > > # EDIT This line only > > IP_WAN=x.x.x.x > > # DO NOT EDIT > > echo "1" > /proc/sys/net/ipv4/ip_forward > > modprobe ip_conntrack
Unnecessary, should be automatically loaded by ip_conntrack_ftp > modprobe ip_nat_ftp > modprobe ip_conntrack_ftp Unnecessary, should be automatically loaded by ip_nat_ftp > # Flush all rules > > iptables -F INPUT > iptables -F FORWARD > iptables -F OUTPUT > iptables -F -t nat > iptables -F -t mangle > > # Default Policies > > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > # Allow UDP, DNS and Passive FTP > iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT All 3 rules are useless, as the default policies are already ACCEPT and there are no DROP nor REJECT rules. Also, the comment is misleading : they accept much more than just UDP, DNS and passive FTP. They actually accept almost anything. > # garena game > iptables -t nat -A PREROUTING -p udp -i eth0 -d 0/0 --dport 1511:1611 This rule has no target (-j <target>) and therefore no action. > # Transparent Proxy if it's network game > iptables -A PREROUTING -t nat -i eth1 -s 10.101.189.0/24 > 10.101.189.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 > > > # NAT > iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source $IP_WAN > > > Both LAN1 n LAN2 can access internet it's good but they can access to > each other. > > Please kindly help, I don't want LAN1 connect to LAN2 or LAN2 connect to > LAN1. If both subnets share the same ethernet network (e.g. use the same switches without any separate VLANs), then they can communicate directly over this ethernet network, skipping the Linux router. If some hosts do not have a direct route to the other subnet they will use the router to reach hosts in the other subnet and then you can insert iptables rules to DROP traffic in the FORWARD chain : iptables -I FORWARD -i eth0 -o eth0 -j DROP But be warned that it will have no effect on hosts which have a direct route to the other subnet. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
