* Firewalling issue
@ 2006-07-19 10:25 Ross Cameron
2006-07-19 10:59 ` Sietse van Zanen
[not found] ` <1153305518.5888.176.camel@sehe-c4.berlin.teles.de>
0 siblings, 2 replies; 3+ messages in thread
From: Ross Cameron @ 2006-07-19 10:25 UTC (permalink / raw)
To: netfilter
Hi there list I have the following issue:
I have a IP split setup on one of my Linux boxes (see diagram below), I
can route and all access is hunky dory,... BUT I want to block access to
my DMZ'z gateway address from the outside world.
How do I do this?
+------------+ +------------ +
| | eth0 +-------------+ eth1 | |
| Internet |============| FW / Router |============| LAN |
| | +-------------+ | |
+------------+ || eth2 +------------ +
||
||
||
|| +------------ +
|+-----------------| |
+------------------| DMZ |
| |
+------------ +
KEY:
~~~~
eth0 => 196.x.x.122 / 255.255.255.252
eth1 => 192.168.x.x / 255.255.255.0
eth2 => 196.x.x.94 / 255.255.255.240
The Internet needs to be able to see 196.x.x.80 -> 196.x.x.95,... with
the exception of 196.x.x.94!!!
Everything else is correct and how I need it to be,... I need to know
how to DROP the packets coming in on eth0 for 196.x.x.94
BUT packets coming in on eth2 for 196.x.x.94 need to be allowed.
Regards,...
Ross Cameron
^ permalink raw reply [flat|nested] 3+ messages in thread* RE: Firewalling issue
2006-07-19 10:25 Firewalling issue Ross Cameron
@ 2006-07-19 10:59 ` Sietse van Zanen
[not found] ` <1153305518.5888.176.camel@sehe-c4.berlin.teles.de>
1 sibling, 0 replies; 3+ messages in thread
From: Sietse van Zanen @ 2006-07-19 10:59 UTC (permalink / raw)
To: netfilter
You need to create a rule on that specific interface. something like:
iptables -t filter -A INPUT -i eth2 -s 0.0.0.0/0 -j DROP
This will drop ALL traffic coming into your eth2 interface. If you need certain traffic to come through (like from your internal network) add a rule to allow this traffic BEFORE the drop rule.
Also, get yourself a tool like fwbuilder (http://www.fwbuilder.org). It will make configuring your firewall a lot easier.
-Sietse
________________________________
From: netfilter-bounces@lists.netfilter.org on behalf of Ross Cameron
Sent: Wed 19-Jul-06 12:25
To: netfilter@lists.netfilter.org
Subject: Firewalling issue
Hi there list I have the following issue:
I have a IP split setup on one of my Linux boxes (see diagram below), I
can route and all access is hunky dory,... BUT I want to block access to
my DMZ'z gateway address from the outside world.
How do I do this?
+------------+ +------------ +
| | eth0 +-------------+ eth1 | |
| Internet |============| FW / Router |============| LAN |
| | +-------------+ | |
+------------+ || eth2 +------------ +
||
||
||
|| +------------ +
|+-----------------| |
+------------------| DMZ |
| |
+------------ +
KEY:
~~~~
eth0 => 196.x.x.122 / 255.255.255.252
eth1 => 192.168.x.x / 255.255.255.0
eth2 => 196.x.x.94 / 255.255.255.240
The Internet needs to be able to see 196.x.x.80 -> 196.x.x.95,... with
the exception of 196.x.x.94!!!
Everything else is correct and how I need it to be,... I need to know
how to DROP the packets coming in on eth0 for 196.x.x.94
BUT packets coming in on eth2 for 196.x.x.94 need to be allowed.
Regards,...
Ross Cameron
^ permalink raw reply [flat|nested] 3+ messages in thread[parent not found: <1153305518.5888.176.camel@sehe-c4.berlin.teles.de>]
* Re: Firewalling issue
[not found] ` <1153305518.5888.176.camel@sehe-c4.berlin.teles.de>
@ 2006-07-19 11:09 ` Ross Cameron
0 siblings, 0 replies; 3+ messages in thread
From: Ross Cameron @ 2006-07-19 11:09 UTC (permalink / raw)
To: Sebastian Heidl, netfilter
Issue resolved!
Thx very much,... I had that syntax before,.. but it wasn't early enough
in the rule set,... rookie mistake!
Thx guys!
Sebastian Heidl wrote:
> Hi Ross,
>
> this should do it:
>
> iptables -A INPUT -i eth0 -d 196.x.x.94 -j DROP
>
> You may want to insert this rule early in the INPUT chain.
> Regards.
>
> _sh_
>
>
> On Wed, 2006-07-19 at 12:25 +0200, Ross Cameron wrote:
>
>> Hi there list I have the following issue:
>>
>> I have a IP split setup on one of my Linux boxes (see diagram below), I
>> can route and all access is hunky dory,... BUT I want to block access to
>> my DMZ'z gateway address from the outside world.
>> How do I do this?
>>
>>
>> +------------+ +------------ +
>> | | eth0 +-------------+ eth1 | |
>> | Internet |============| FW / Router |============| LAN |
>> | | +-------------+ | |
>> +------------+ || eth2 +------------ +
>> ||
>> ||
>> ||
>> || +------------ +
>> |+-----------------| |
>> +------------------| DMZ |
>> | |
>> +------------ +
>>
>> KEY:
>> ~~~~
>> eth0 => 196.x.x.122 / 255.255.255.252
>> eth1 => 192.168.x.x / 255.255.255.0
>> eth2 => 196.x.x.94 / 255.255.255.240
>>
>>
>> The Internet needs to be able to see 196.x.x.80 -> 196.x.x.95,... with
>> the exception of 196.x.x.94!!!
>>
>> Everything else is correct and how I need it to be,... I need to know
>> how to DROP the packets coming in on eth0 for 196.x.x.94
>> BUT packets coming in on eth2 for 196.x.x.94 need to be allowed.
>>
>> Regards,...
>> Ross Cameron
>>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-07-19 11:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-19 10:25 Firewalling issue Ross Cameron
2006-07-19 10:59 ` Sietse van Zanen
[not found] ` <1153305518.5888.176.camel@sehe-c4.berlin.teles.de>
2006-07-19 11:09 ` Ross Cameron
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.