Re: iptables advice

To: debian-user@lists.debian.org
Subject: Re: iptables advice
From: Reco <recoverym4n@gmail.com>
Date: Thu, 27 Oct 2016 14:50:02 +0300
Message-id: <[🔎] 20161027115000.GA16299@e1030>

	Hi.

In-Reply-To: <[🔎] ddc9a058-84e5-d442-9be3-cb9aa638e52a@fuckaround.org>

On Thu, Oct 27, 2016 at 01:36:23PM +0200, Pol Hallen wrote:
> Hello all :-)
> 
> I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:
> 
> iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24 -j
> ACCEPT
> 
> and same rules for 192.168.2/24: this allow each lan see other lan.
> 
> Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
> lan1 see lan2?

Seems to be very straightforward (assuming that you're using FORWARD
ACCEPT policy):

iptables -A FORWARD -s 192.168.2/24 -d 192.168.1/24 -m conntrack \
	--ctstate NEW -m comment --comment 'lan2 cannot see lan1' -j DROP
iptables -A FORWARD -s 192.168.1/24 -d 192.168.2/24 -m conntrack \
	--ctstate NEW -m comment --comment 'lan1 can see lan2'-j ACCEPT
iptables -A FORWARD -s 192.168.1/24 -d 192.168.2/24 -m conntrack \
	--ctstate ESTABLISHED,RELATED -m comment --comment \
	'lan2 can answer lan1' -j ACCEPT

BTW consider migrating from obsolete 'state' to the new 'conntrack' in
your other rules.

Reco

Reply to:

Follow-Ups:
- Re: iptables advice
  - From: Pol Hallen <deben@fuckaround.org>

Prev by Date: iptables advice
Next by Date: Re: Dead links on wiki.debian.org diagrams page
Previous by thread: Re: iptables advice
Next by thread: Re: iptables advice
Index(es):
- Date
- Thread