confused fw block int and ext traffic ..

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lars Nixdorf <lars.nixdorf@genion.de>
To: netfilter@lists.netfilter.org
Subject: confused fw block int and ext traffic ..
Date: Wed, 24 Nov 2004 13:58:15 +0100	[thread overview]
Message-ID: <41A48567.9070507@genion.de> (raw)

hi,

i want to make a ruleset, that protect the intranet. Ok, no Problem. But 
it should also protect the "internet". That means only .. simple :

ruleset extern_to_intern:
	allow some ports to fw
	allow some ports through fw to some hosts / subnets
	deny all

ruleset intern_to extern:
	allow some ports (most of them) to fw
	allow some ports trough fw to some hosts in internet
	deny all

ruleset vpn-connections
	allow all to intranet and fw
	deny all (also traffic to internet)

ruleset for special handling
	some nats / port forwards intern <--> intern

ruleset for masquarading
	masq. all behind offical ip

My interfaces are:
	eth0 - intranet interface
	eth1 - internet interface


.. short lines from my configs :
-----------------------------------------------------------------------
-N extern
-A extern -m state --state ESTABLISHED,RELATED -j ACCEPT
-A extern -i $INTERNET -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A extern -i $INTERNET -m state --state NEW -p tcp --dport 25 -j ACCEPT
-A extern -i $INTERNET -p 50 -j ACCEPT 

-A extern -i $INTERNET -p 51 -j ACCEPT
-A extern -i $INTERNET -m state --state NEW -p udp --dport 500 -j ACCEPT
-A extern -j DROP
-A INPUT -j extern
-A FORWARD -j extern


-N intern
-A intern -m state --state ESTABLISHED,RELATED -j ACCEPT
-A intern -m state --state NEW -i ! $LOCAL -j ACCEPT

-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 25
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p udp -d $FIREWALL --dport 37
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 37
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p udp -d $FIREWALL --dport 53
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 53
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 80
	-j ACCEPT
-A intern -j DROP
-A INPUT -j intern
-A FORWARD -j intern

-N vpn
-A vpn -i ppp+ -j ACCEPT
-A INPUT -j vpn
-A FORWARD -j vpn

iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE

--------------------------------------------------------------------------

it doesnt work correctly . :/ Need some hints, how to organize this 
construction, or a suggest for a better one.

Thx all
   Best regards

Lars Nixdorf

next             reply	other threads:[~2004-11-24 12:58 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-11-24 12:58 Lars Nixdorf [this message]
2004-11-24 15:08 ` confused fw block int and ext traffic Jason Opperisano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41A48567.9070507@genion.de \
    --to=lars.nixdorf@genion.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.