Re: iptables, 3 ethernet cards
On Tue, Jun 24, 2003 at 07:58:17AM +0200, arthur wrote:
> I have such firewall: (fragment)
>
> #eth0 - local 10.10.1.1
> #eth1 - local 192.168.1.1
> #eth2 - world 213...
>
> EXTERNAL=`ifconfig eth2 | grep "addr:" | cut -d: -f2 | cut -d" " -f1`
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -i eth2 -j ACCEPT
>
> iptables -A FORWARD -i eth0 -s 10.10.1.0/24 -j ACCEPT
> iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -o eth2 -j SNAT -s 192.168.1.0/24 --to ${EXTERNAL}
> iptables -t nat -A POSTROUTING -o eth2 -j SNAT -s 10.10.1.0/24 --to ${EXTERNAL}
>
> Why if I connect to eth1 with for example IP 10.10.1.10 I have open world ?
> The same if I connect to eth0 with for exsmple IP 192.168.1.10 I have open world too.
> I want block it !
Because FORWARD is only invoked when a packet is going to be routed, not
when the packet is destined to be handled on this server.
If you want to close eth0 to all traffic except for source
192.168.1.0/24, and eth1 to all except source 10.10.1.0/24, do:
iptables -P INPUT DROP
iptables -A INPUT -i eth0 -s 10.10.1.0/24 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
Incidentally, it's better to tell people exactly what you want to have
happen. This might interfere with something else you need.
-dsr-
--
Network engineer / pre-sales engineer available in the Boston area.
http://tao.merseine.nu/~dsr
Reply to: