> Hi List,
>
> Thank for your help specially Pascal, thank for you detail and
> meaningful description.
>
> I hope I can get it done soon.
>
> I'm not so clear or maybe you get confused about that, if possible
> please reply because I can not test the script right now
>
> Your advise
>
> iptables -I FORWARD -i eth0 -o eth0 -j DROP
>
> eth0 ,<<< WAN
> eth1 <<< is LAN
>
> I think you are talking about
>
> iptables -I FORWARD -i eth1 -o eth1 -j DROP
>
>
> Please help?
>
>
> On Sat, Aug 21, 2010 at 7:33 PM, Pascal Hambourg <
>
pascal.mail@plouf.fr.eu.org> wrote:
>
> > Hello,
> >
> > Makara a écrit :
> > >
> > > Here is my network diagram
> > >
> > >
> > > / LAN1 [
10.101.189.0/24 <
http://10.101.189.0/24>]
> > > internet---------------[eth0]--------------{Linux}-----------------[eth1]
> > >
> > > \LAN2 [192.168.0/24]
> > >
> > > My iptables script
> > >
> > > # EDIT This line only
> > >
> > > IP_WAN=x.x.x.x
> > >
> > > # DO NOT EDIT
> > >
> > > echo "1" > /proc/sys/net/ipv4/ip_forward
> > >
> > > modprobe ip_conntrack
> >
> > Unnecessary, should be automatically loaded by ip_conntrack_ftp
> >
> > > modprobe ip_nat_ftp
> > > modprobe ip_conntrack_ftp
> >
> > Unnecessary, should be automatically loaded by ip_nat_ftp
> >
> > > # Flush all rules
> > >
> > > iptables -F INPUT
> > > iptables -F FORWARD
> > > iptables -F OUTPUT
> > > iptables -F -t nat
> > > iptables -F -t mangle
> > >
> > > # Default Policies
> > >
> > > iptables -P INPUT ACCEPT
> > > iptables -P FORWARD ACCEPT
> > > iptables -P OUTPUT ACCEPT
> > >
> > > # Allow UDP, DNS and Passive FTP
> > > iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j
> > > ACCEPT iptables -A FORWARD -m state --state
> > > NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state
> > > --state NEW,RELATED,ESTABLISHED -j ACCEPT
> >
> > All 3 rules are useless, as the default policies are already ACCEPT
> > and there are no DROP nor REJECT rules. Also, the comment is
> > misleading : they accept much more than just UDP, DNS and passive
> > FTP. They actually accept almost anything.
> >
> > > # garena game
> > > iptables -t nat -A PREROUTING -p udp -i eth0 -d 0/0 --dport
> > > 1511:1611
> >
> > This rule has no target (-j <target>) and therefore no action.
> >
> > > # Transparent Proxy if it's network game
> > > iptables -A PREROUTING -t nat -i eth1 -s
10.101.189.0/24
> > >
10.101.189.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
> > >
> > >
> > > # NAT
> > > iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source $IP_WAN
> > >
> > >
> > > Both LAN1 n LAN2 can access internet it's good but they can
> > > access to each other.
> > >
> > > Please kindly help, I don't want LAN1 connect to LAN2 or LAN2
> > > connect to LAN1.
> >
> > If both subnets share the same ethernet network (e.g. use the same
> > switches without any separate VLANs), then they can communicate
> > directly over this ethernet network, skipping the Linux router. If
> > some hosts do not have a direct route to the other subnet they will
> > use the router to reach hosts in the other subnet and then you can
> > insert iptables rules to DROP traffic in the FORWARD chain :
> >
> > iptables -I FORWARD -i eth0 -o eth0 -j DROP
> >
> > But be warned that it will have no effect on hosts which have a
> > direct route to the other subnet.
> >
> >
> > --
> > To UNSUBSCRIBE, email to
debian-firewall-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> >
listmaster@lists.debian.org
> > Archive:
4C6FC791.4070903@plouf.fr.eu.org" target="_blank">http://lists.debian.org/
4C6FC791.4070903@plouf.fr.eu.org
> >
> >
>
>
--
To UNSUBSCRIBE, email to
debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org