On Tue, Apr 09, 2013 at 05:41:39PM +0200, Jimmy Thrasibule wrote: > I've got a Linux box sitting between different local networks. I'd like > to set up access policies between each network so I though about a zone > based firewall. > Each zone is responsible of its incoming and outgoing traffic. However > this role is played by the same box and if a packet is accepted by a > zone, it cannot be denied by another zone.
Could you explain the theory behind this concept? I prefer to specify the allowed stuff depending on egress first and ingress second, it is pretty easy to understand. Also you want to use ferm for iptables-based packet filters. A filter for your problem done in my usual style would look like this: domain (ip ip6) table filter chain FORWARD { outerface $servers { interface $marketing { proto tcp dport 22 REJECT; ACCEPT; } } REJECT; } > Here are the iptables rules I would go for: > # Traffic coming from the zones. > -A FORWARD -i eth0 ZONE_MRKT > -A FORWARD -i eth1 ZONE_SRV > > # Traffic to the zones. > -A FORWARD -o eth0 ZONE_MRKT > -A FORWARD -o eth1 ZONE_SRV Don't mix definitions for ingress and egress traffic. You will allow spoofed traffic. > # Let's look at marketing. > -A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT The chain should already include the information that it comes from marketing. Don't even think about doing checks by address. > # Marketing allows any outgoing traffic. > -A MRKT_OUT -j ACCEPT Now you accepted ssh to the servers. > How would you manage such a case? Don't try to be too clever. KISS is the key for creating a maintainable setup. Bastian -- The man on tops walks a lonely street; the "chain" of command is often a noose. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130409192604.ga24...@waldi.eu.org