Re: iptables advice

To: debian-user@lists.debian.org
Subject: Re: iptables advice
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Sat, 29 Oct 2016 11:35:21 +0200
Message-id: <[🔎] 780f0eb8-ebb7-000b-581c-c747ba65e532@plouf.fr.eu.org>
In-reply-to: <[🔎] ddc9a058-84e5-d442-9be3-cb9aa638e52a@fuckaround.org>
References: <[🔎] ddc9a058-84e5-d442-9be3-cb9aa638e52a@fuckaround.org>

Le 27/10/2016 à 13:36, Pol Hallen a écrit :


I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:

Please be more precise. Iptables rules are created on nodes (hosts androuters), not networks.

iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24
-j ACCEPT

and same rules for 192.168.2/24: this allow each lan see other lan.

My advice is to use interface names instead of addresses wheneverpossible. Source addresses can be spoofed.

Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
lan1 see lan2?

You're not telling us the whole picture, are you ? There are othernetworks, aren't they ?

An iptables rules is not isolated, it is part of a ruleset. To achievethe same purpose, different rules may be required for different rulesets.

Reply to:

References:
- iptables advice
  - From: Pol Hallen <deben@fuckaround.org>

Prev by Date: Re: EUREKA!!!! - was [Re: Permissions for an entire PARTITION]
Next by Date: Re: dependencies problem to install lightworks on jessie
Previous by thread: Re: iptables advice
Next by thread: Re: iptables advice
Index(es):
- Date
- Thread