iptables advice

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

iptables advice

Debian EN
Hello all :-)

I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:

iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24
-j ACCEPT

and same rules for 192.168.2/24: this allow each lan see other lan.

Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
lan1 see lan2?

thanks!

Pol

Reply | Threaded
Open this post in threaded view
|

Re: iptables advice

recoverym4n
        Hi.

In-Reply-To: <[hidden email]>

On Thu, Oct 27, 2016 at 01:36:23PM +0200, Pol Hallen wrote:

> Hello all :-)
>
> I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:
>
> iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24 -j
> ACCEPT
>
> and same rules for 192.168.2/24: this allow each lan see other lan.
>
> Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
> lan1 see lan2?

Seems to be very straightforward (assuming that you're using FORWARD
ACCEPT policy):

iptables -A FORWARD -s 192.168.2/24 -d 192.168.1/24 -m conntrack \
        --ctstate NEW -m comment --comment 'lan2 cannot see lan1' -j DROP
iptables -A FORWARD -s 192.168.1/24 -d 192.168.2/24 -m conntrack \
        --ctstate NEW -m comment --comment 'lan1 can see lan2'-j ACCEPT
iptables -A FORWARD -s 192.168.1/24 -d 192.168.2/24 -m conntrack \
        --ctstate ESTABLISHED,RELATED -m comment --comment \
        'lan2 can answer lan1' -j ACCEPT

BTW consider migrating from obsolete 'state' to the new 'conntrack' in
your other rules.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: iptables advice

Debian EN
> iptables -A FORWARD -s 192.168.2/24 -d 192.168.1/24 -m conntrack \
> --ctstate NEW -m comment --comment 'lan2 cannot see lan1' -j DROP
[...]

cheers! :-p

Pol

Reply | Threaded
Open this post in threaded view
|

Re: iptables advice

Dan Ritter-4
In reply to this post by Debian EN
On Thu, Oct 27, 2016 at 01:36:23PM +0200, Pol Hallen wrote:

> Hello all :-)
>
> I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:
>
> iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24 -j
> ACCEPT
>
> and same rules for 192.168.2/24: this allow each lan see other lan.
>
> Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
> lan1 see lan2?

It depends on what you mean by "see".

Do you mean 192.168.1/24 should be able to start connections to
192.168.2/24 and receive replies, but not the reverse?

If so, you want:

# .1 can send anything anywhere
-A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
# .2 can send back answers to .1
-A FORWARD -s 192.168.2/24 -d 192.168.1/24 \
             -m state --state ESTABLISHED,RELATED -j ACCEPT
# .2 is not allowed to establish new sessions to .1
-A FORWARD -s 192.168.2.24 -d 192.168.1/24 \
             -m state --state NEW -j DROP
# .1 can receive anything else
-A FORWARD -d 192.168.1/24 -d 0/0 -j ACCEPT

-dsr-

Reply | Threaded
Open this post in threaded view
|

Re: iptables advice

Pascal Hambourg-2
In reply to this post by Debian EN
Le 27/10/2016 à 13:36, Pol Hallen a écrit :
>
> I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:

Please be more precise. Iptables rules are created on nodes (hosts and
routers), not networks.

> iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24
> -j ACCEPT
>
> and same rules for 192.168.2/24: this allow each lan see other lan.

My advice is to use interface names instead of addresses whenever
possible. Source addresses can be spoofed.

> Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
> lan1 see lan2?

You're not telling us the whole picture, are you ? There are other
networks, aren't they ?

An iptables rules is not isolated, it is part of a ruleset. To achieve
the same purpose, different rules may be required for different rulesets.