Re: [iptables] Zone based rules
On Tue, Apr 09, 2013 at 05:41:39PM +0200, Jimmy Thrasibule wrote:
> I've got a Linux box sitting between different local networks. I'd like
> to set up access policies between each network so I though about a zone
> based firewall.
> Each zone is responsible of its incoming and outgoing traffic. However
> this role is played by the same box and if a packet is accepted by a
> zone, it cannot be denied by another zone.
Could you explain the theory behind this concept?
I prefer to specify the allowed stuff depending on egress first and
ingress second, it is pretty easy to understand. Also you want to use
ferm for iptables-based packet filters. A filter for your problem done
in my usual style would look like this:
domain (ip ip6) table filter chain FORWARD {
outerface $servers {
interface $marketing {
proto tcp dport 22 REJECT;
ACCEPT;
}
}
REJECT;
}
> Here are the iptables rules I would go for:
> # Traffic coming from the zones.
> -A FORWARD -i eth0 ZONE_MRKT
> -A FORWARD -i eth1 ZONE_SRV
>
> # Traffic to the zones.
> -A FORWARD -o eth0 ZONE_MRKT
> -A FORWARD -o eth1 ZONE_SRV
Don't mix definitions for ingress and egress traffic. You will allow
spoofed traffic.
> # Let's look at marketing.
> -A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT
The chain should already include the information that it comes from
marketing. Don't even think about doing checks by address.
> # Marketing allows any outgoing traffic.
> -A MRKT_OUT -j ACCEPT
Now you accepted ssh to the servers.
> How would you manage such a case?
Don't try to be too clever. KISS is the key for creating a maintainable
setup.
Bastian
--
The man on tops walks a lonely street; the "chain" of command is often a noose.
Reply to: