[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [iptables] Zone based rules

On Tue, Apr 09, 2013 at 05:41:39PM +0200, Jimmy Thrasibule wrote:
> I've got a Linux box sitting between different local networks. I'd like
> to set up access policies between each network so I though about a zone
> based firewall.
> Each zone is responsible of its incoming and outgoing traffic. However
> this role is played by the same box and if a packet is accepted by a
> zone, it cannot be denied by another zone.

Could you explain the theory behind this concept?

I prefer to specify the allowed stuff depending on egress first and
ingress second, it is pretty easy to understand.  Also you want to use
ferm for iptables-based packet filters.  A filter for your problem done
in my usual style would look like this:

domain (ip ip6) table filter chain FORWARD {
  outerface $servers {
    interface $marketing {
      proto tcp dport 22 REJECT;


> Here are the iptables rules I would go for:
>   # Traffic coming from the zones.
>   -A FORWARD -i eth0 ZONE_MRKT
>   -A FORWARD -i eth1 ZONE_SRV
>   # Traffic to the zones.
>   -A FORWARD -o eth0 ZONE_MRKT
>   -A FORWARD -o eth1 ZONE_SRV

Don't mix definitions for ingress and egress traffic. You will allow
spoofed traffic.

>   # Let's look at marketing.
>   -A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT

The chain should already include the information that it comes from
marketing. Don't even think about doing checks by address.

>   # Marketing allows any outgoing traffic.

Now you accepted ssh to the servers.

> How would you manage such a case?

Don't try to be too clever. KISS is the key for creating a maintainable


The man on tops walks a lonely street; the "chain" of command is often a noose.

Reply to: