www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Isolate Subnet

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
meggawhat



Joined: 06 Jan 2011
Posts: 2

PostPosted: Sat Aug 25, 2012 1:45 am    Post subject: Isolate Subnet Reply with quote

I have 2 subnets on 2 interfaces.

ETH00 192.168.1.0/24 is RADIUS | for Employees
ETH03 192.168.2.0/24 is WPA2 | for Guests.

ETH01 is Internet...

Default is DROP..
I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0

Both subnets can ping eachother and get to the internet WAN.

But I want to *block* traffic coming from 192.168.2.0/24 from getting to through to 192.168.1.0/24.

And *Allow* traffic coming from 192.168.1.0/24 to get to 192.168.2.0/24.

Can someone help me with the firewall rule?
Back to top
View user's profile Send private message
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Sat Aug 25, 2012 4:40 pm    Post subject: Reply with quote

If ETH01 is directly connected to the internet( PPPoE ?), four simple rules in forward chain , with DROP as default policy , should be enough for a start config.
Code:
1 ACCEPT     all  --  ETH00  *       192.168.1.0/24        0.0.0.0/0
2 ACCEPT     all  --  ETH03  !ETH00  192.168.2.0/24        0.0.0.0/0   
3 ACCEPT     all  --  ETH03  ETH00   192.168.2.0/24        192.168.1.0/24    state RELATED,ESTABLISHED
4 ACCEPT     all  --  ETH01  *       0.0.0.0/0             192.168.0.0/22    state RELATED,ESTABLISHED
Quote:
Default is DROP..
I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0
and about ETH01 ?? return traffic seems not allowed...are you using proxy ??
cheers
jonatha
Back to top
View user's profile Send private message
meggawhat



Joined: 06 Jan 2011
Posts: 2

PostPosted: Sun Aug 26, 2012 5:43 am    Post subject: Reply with quote

Thanks for the code!
Yes ETH01 is directly connected to the internet.
I am using the Zeroshell transparent proxy and Clam AV.

I don't understand the reason for this one though.... I do not have a 192.168.0.0 subnet.

ACCEPT all -- ETH01 * 0.0.0.0/0 192.168.0.0/22 state RELATED,ESTABLISHED
Back to top
View user's profile Send private message
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Sun Aug 26, 2012 11:20 am    Post subject: Reply with quote

Without a rule to permit the return traffic , only http traffic will be allowed, thanks to http proxy , but https traffic will be denied... The 192.168.0.0/22 is a manual-summarized network or supernet ( /22 mask is wider than /24 class C default mask) and the rule
Code:
4 ACCEPT     all  --  ETH01  *       0.0.0.0/0             192.168.0.0/22    state RELATED,ESTABLISHED
will permit the return traffic to 0.0 ,1.0 , 2.0 and 3.0 . Obviously , having only the 1.0 and 2.0 networks , you can change the previous rule (#4) with these
Code:
4 ACCEPT     all  --  ETH01  ETH00   0.0.0.0/0            192.168.1.0/24    state RELATED,ESTABLISHED
5 ACCEPT     all  --  ETH01  ETH03   0.0.0.0/0            192.168.2.0/24    state RELATED,ESTABLISHED

Also add some rules in INPUT chain would not be a bad idea
cheers
jonatha
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group