Re: Blocked route LAN to LAN

To: debian-firewall@lists.debian.org
Subject: Re: Blocked route LAN to LAN
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Sat, 21 Aug 2010 14:33:21 +0200
Message-id: <4C6FC791.4070903@plouf.fr.eu.org>
In-reply-to: <AANLkTikMKsvXnuB2FjOhJvjBj++EADpXG-cxZu0_0pjF@mail.gmail.com>
References: <AANLkTikMKsvXnuB2FjOhJvjBj++EADpXG-cxZu0_0pjF@mail.gmail.com>

Hello,

Makara a écrit :
> 
> Here is my network diagram
> 
>                                                                         
>          / LAN1 [10.101.189.0/24 <http://10.101.189.0/24>]
> internet---------------[eth0]--------------{Linux}-----------------[eth1]
>                                                                         
>          \LAN2 [192.168.0/24]
> 
> My iptables script
> 
> # EDIT This line only
> 
> IP_WAN=x.x.x.x
> 
> # DO NOT EDIT
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> modprobe ip_conntrack

Unnecessary, should be automatically loaded by ip_conntrack_ftp

> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp

Unnecessary, should be automatically loaded by ip_nat_ftp

> # Flush all rules
> 
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> iptables -F -t nat
> iptables -F -t mangle
> 
> # Default Policies
> 
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT 
> iptables -P OUTPUT ACCEPT
> 
> # Allow UDP, DNS and Passive FTP
> iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

All 3 rules are useless, as the default policies are already ACCEPT and
there are no DROP nor REJECT rules. Also, the comment is misleading :
they accept much more than just UDP, DNS and passive FTP. They actually
accept almost anything.

> # garena game
> iptables -t nat -A PREROUTING -p udp -i eth0 -d 0/0 --dport 1511:1611

This rule has no target (-j <target>) and therefore no action.

> # Transparent Proxy if it's network game
> iptables -A PREROUTING -t nat -i eth1 -s 10.101.189.0/24
> 10.101.189.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
> 
> 
> # NAT
> iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source $IP_WAN
> 
> 
> Both LAN1 n LAN2 can access internet it's good but they can access to
> each other. 
> 
> Please kindly help, I don't want LAN1 connect to LAN2 or LAN2 connect to
> LAN1.

If both subnets share the same ethernet network (e.g. use the same
switches without any separate VLANs), then they can communicate directly
over this ethernet network, skipping the Linux router. If some hosts do
not have a direct route to the other subnet they will use the router to
reach hosts in the other subnet and then you can insert iptables rules
to DROP traffic in the FORWARD chain :

iptables -I FORWARD -i eth0 -o eth0 -j DROP

But be warned that it will have no effect on hosts which have a direct
route to the other subnet.

Reply to:

Follow-Ups:
- Re: Blocked route LAN to LAN
  - From: Makara <chanmakara@gmail.com>

References:
- Blocked route LAN to LAN
  - From: Makara <chanmakara@gmail.com>

Prev by Date: Re: Blocked route LAN to LAN
Next by Date: Re: Blocked route LAN to LAN
Previous by thread: Re: Blocked route LAN to LAN
Next by thread: Re: Blocked route LAN to LAN
Index(es):
- Date
- Thread