Hi List, Thank for your help specially Pascal, thank for you detail and meaningful description.
I hope I can get it done soon. I'm not so clear or maybe you get confused about that, if possible please reply because I can not test the script right now Your advise iptables -I FORWARD -i eth0 -o eth0 -j DROP eth0 ,<<< WAN eth1 <<< is LAN I think you are talking about iptables -I FORWARD -i eth1 -o eth1 -j DROP Please help? On Sat, Aug 21, 2010 at 7:33 PM, Pascal Hambourg < [email protected]> wrote: > Hello, > > Makara a écrit : > > > > Here is my network diagram > > > > > > / LAN1 [10.101.189.0/24 <http://10.101.189.0/24>] > > internet---------------[eth0]--------------{Linux}-----------------[eth1] > > > > \LAN2 [192.168.0/24] > > > > My iptables script > > > > # EDIT This line only > > > > IP_WAN=x.x.x.x > > > > # DO NOT EDIT > > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > modprobe ip_conntrack > > Unnecessary, should be automatically loaded by ip_conntrack_ftp > > > modprobe ip_nat_ftp > > modprobe ip_conntrack_ftp > > Unnecessary, should be automatically loaded by ip_nat_ftp > > > # Flush all rules > > > > iptables -F INPUT > > iptables -F FORWARD > > iptables -F OUTPUT > > iptables -F -t nat > > iptables -F -t mangle > > > > # Default Policies > > > > iptables -P INPUT ACCEPT > > iptables -P FORWARD ACCEPT > > iptables -P OUTPUT ACCEPT > > > > # Allow UDP, DNS and Passive FTP > > iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > > iptables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > > iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > > All 3 rules are useless, as the default policies are already ACCEPT and > there are no DROP nor REJECT rules. Also, the comment is misleading : > they accept much more than just UDP, DNS and passive FTP. They actually > accept almost anything. > > > # garena game > > iptables -t nat -A PREROUTING -p udp -i eth0 -d 0/0 --dport 1511:1611 > > This rule has no target (-j <target>) and therefore no action. > > > # Transparent Proxy if it's network game > > iptables -A PREROUTING -t nat -i eth1 -s 10.101.189.0/24 > > 10.101.189.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 > > > > > > # NAT > > iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source $IP_WAN > > > > > > Both LAN1 n LAN2 can access internet it's good but they can access to > > each other. > > > > Please kindly help, I don't want LAN1 connect to LAN2 or LAN2 connect to > > LAN1. > > If both subnets share the same ethernet network (e.g. use the same > switches without any separate VLANs), then they can communicate directly > over this ethernet network, skipping the Linux router. If some hosts do > not have a direct route to the other subnet they will use the router to > reach hosts in the other subnet and then you can insert iptables rules > to DROP traffic in the FORWARD chain : > > iptables -I FORWARD -i eth0 -o eth0 -j DROP > > But be warned that it will have no effect on hosts which have a direct > route to the other subnet. > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: http://lists.debian.org/[email protected] > > -- The person who loves others will also be loved.
