On Mon, Aug 23, 2010 at 2:07 PM, Mark Chong <[email protected]> wrote: > Hi Makara > > That would be correct > iptables -I FORWARD -i eth1 -o eth1 -j DROP > would stop routing packets between your two networks assuming eth1 is > plugged into your switch and eth0 is not >
That's correct eth1 is connected to switch and eth0 is connected directly to ISP media. Thank you for confirmation. Just for first stage I allow all I will block input chain from eth0 interface and forward chain soon after everything is done. Thank again for all professional recommendation. > > however as pascal mentioned this relies on at least 1 of the hosts not > having a route back to the machine trying to contact it, but even if it > can't respond to requests it is still open to potential attacks from the > hosts that can still send the requests > > > with your eth0 -> eth1 firewall rules you want to ensure that you allow > outbound but restrict inbound connections, and usually you would do > this by setting a default DROP policy on the FORWARD chain followed by > rules to allow eth1 -> internet, and statefull rules to allow internet > -> eth1 > like (and this is just an example) > iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT > > you would also want to put rules to block packets on the INPUT chain > too to protect unwanted connections comming from the internet > connecting direclty to your router > > On Mon, 23 Aug 2010 09:10:48 +0700 > Makara <[email protected]> wrote: > > > Hi List, > > > > Thank for your help specially Pascal, thank for you detail and > > meaningful description. > > > > I hope I can get it done soon. > > > > I'm not so clear or maybe you get confused about that, if possible > > please reply because I can not test the script right now > > > > Your advise > > > > iptables -I FORWARD -i eth0 -o eth0 -j DROP > > > > eth0 ,<<< WAN > > eth1 <<< is LAN > > > > I think you are talking about > > > > iptables -I FORWARD -i eth1 -o eth1 -j DROP > > > > > > Please help? > > > > > > On Sat, Aug 21, 2010 at 7:33 PM, Pascal Hambourg < > > [email protected]> wrote: > > > > > Hello, > > > > > > Makara a écrit : > > > > > > > > Here is my network diagram > > > > > > > > > > > > / LAN1 [10.101.189.0/24 <http://10.101.189.0/24>] > > > > > internet---------------[eth0]--------------{Linux}-----------------[eth1] > > > > > > > > \LAN2 [192.168.0/24] > > > > > > > > My iptables script > > > > > > > > # EDIT This line only > > > > > > > > IP_WAN=x.x.x.x > > > > > > > > # DO NOT EDIT > > > > > > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > > > > > modprobe ip_conntrack > > > > > > Unnecessary, should be automatically loaded by ip_conntrack_ftp > > > > > > > modprobe ip_nat_ftp > > > > modprobe ip_conntrack_ftp > > > > > > Unnecessary, should be automatically loaded by ip_nat_ftp > > > > > > > # Flush all rules > > > > > > > > iptables -F INPUT > > > > iptables -F FORWARD > > > > iptables -F OUTPUT > > > > iptables -F -t nat > > > > iptables -F -t mangle > > > > > > > > # Default Policies > > > > > > > > iptables -P INPUT ACCEPT > > > > iptables -P FORWARD ACCEPT > > > > iptables -P OUTPUT ACCEPT > > > > > > > > # Allow UDP, DNS and Passive FTP > > > > iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j > > > > ACCEPT iptables -A FORWARD -m state --state > > > > NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state > > > > --state NEW,RELATED,ESTABLISHED -j ACCEPT > > > > > > All 3 rules are useless, as the default policies are already ACCEPT > > > and there are no DROP nor REJECT rules. Also, the comment is > > > misleading : they accept much more than just UDP, DNS and passive > > > FTP. They actually accept almost anything. > > > > > > > # garena game > > > > iptables -t nat -A PREROUTING -p udp -i eth0 -d 0/0 --dport > > > > 1511:1611 > > > > > > This rule has no target (-j <target>) and therefore no action. > > > > > > > # Transparent Proxy if it's network game > > > > iptables -A PREROUTING -t nat -i eth1 -s 10.101.189.0/24 > > > > 10.101.189.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 > > > > > > > > > > > > # NAT > > > > iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source $IP_WAN > > > > > > > > > > > > Both LAN1 n LAN2 can access internet it's good but they can > > > > access to each other. > > > > > > > > Please kindly help, I don't want LAN1 connect to LAN2 or LAN2 > > > > connect to LAN1. > > > > > > If both subnets share the same ethernet network (e.g. use the same > > > switches without any separate VLANs), then they can communicate > > > directly over this ethernet network, skipping the Linux router. If > > > some hosts do not have a direct route to the other subnet they will > > > use the router to reach hosts in the other subnet and then you can > > > insert iptables rules to DROP traffic in the FORWARD chain : > > > > > > iptables -I FORWARD -i eth0 -o eth0 -j DROP > > > > > > But be warned that it will have no effect on hosts which have a > > > direct route to the other subnet. > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [email protected] > > > with a subject of "unsubscribe". Trouble? Contact > > > [email protected] > > > Archive: http://lists.debian.org/[email protected] > > > > > > > > > > > > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: http://lists.debian.org/[email protected] > > -- The person who loves others will also be loved.
