[iptables] rules between subnets

To: debian-firewall@lists.debian.org
Subject: [iptables] rules between subnets
From: Michelle Konzack <linux4michelle@freenet.de>
Date: Sun, 4 Jan 2004 21:57:49 +0100
Message-id: <[🔎] 20040104205749.GA4184@freenet.de>

Hello, 

Since 1999 I was using SLINK with Linux 2.0.38 and ipfwadm on my 
Router I was switching now to WOODA with Linux 2.4.(22|23) and 
iptables because my Thomson SpeedTouch 330 USB-ADSL-Modem.

I have following Interfaces:

ppp0                    ADSL        wanadoo.fr
eth0  192.168.1.0/26    publicnet   Web-Server, access-server, DNS, ...
eth1  192.168.1.64/25   privatenet  Meine WS's, sql-Server, file-server
eth2  192.168.1.96/26   securenet   The Office of my old Emploier... :-)
eth3  192.168.1./112/27 cybernet    My CyberCenter
eth4  192.168.1.128/25  wavenet     My Lucent ORINOCO COR 1100

OK, I have installed the Debian-Base, compiled a new Kernel for the 
Router with all Netfilter-Modules I have found in the sources and 
installed my SpeedTouch-Backport from SID, configured and it works. 
Now a 

adsl:~ > iptables -vL'
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

OK , next step: I have masqueraded my subnets with:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Great, all five Subnets can access the Internet...

Now I like to do following:

DENY anything in all Directions on the Router (!!!) and allow ACCEPT 
only:

ppp0	-->	eth0      eth3 eth4
eth*	-->	ppp0
eth0	-->	               eth4
eth1	-->	eth0 eth2 eth3 eth4
eth2	-->	eth0      eth3 eth4
eth3	-->	eth0           eth4
eth4	-->	eth0      eth3

With Linux 2.0.38 and ipfwadm it was easy but iptables ???
I was thinking it works like :

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A FORWARD -o ppp0 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth4 -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth4 -j ACCEPT

iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth4 -j ACCEPT

iptables -A FORWARD -i eth3 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth4 -j ACCEPT

iptables -A FORWARD -i eth4 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth4 -o eth3 -j ACCEPT

iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth3 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth4 -j ACCEPT

And I must note, that eth3 has its own firewall because I have in the 
subnet a web/nfs-server and the Workstations...

Hmmm, it does not work...

The Next step is that I have a Virtual-Webserver at 192.168.1.14/26 
which must be accessible and then the fileserver with its courier-imap 
and the Webmail on 192.168.1.68/27. 

How can I do it.

For some minutes I have cleared all Rules and Now I can access again 
the Internet... I was on <http://netfilter.org/> but I do not 
understand it very well...

Is there a iptables-Guru which can Help ?

Greetings
Michelle

-- 
Registered Linux-User #280138 with the Linux Counter, http://counter.li.org.

Reply to:

Follow-Ups:
- Re: [iptables] rules between subnets
  - From: Mickey Mullin <mickey@dreamwolf.us>

Prev by Date: Re: no IP connections, but DNS resolution works [was: keine verbindung durch router dns wird aufgelöst]
Next by Date: Re: routing based on source IP
Previous by thread: Re: Package e2fsprogs-devel.deb
Next by thread: Re: [iptables] rules between subnets
Index(es):
- Date
- Thread