Le 27/10/2016 à 13:36, Pol Hallen a écrit :
I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:
Please be more precise. Iptables rules are created on nodes (hosts and routers), not networks.
iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24 -j ACCEPT and same rules for 192.168.2/24: this allow each lan see other lan.
My advice is to use interface names instead of addresses whenever possible. Source addresses can be spoofed.
Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow lan1 see lan2?
You're not telling us the whole picture, are you ? There are other networks, aren't they ?
An iptables rules is not isolated, it is part of a ruleset. To achieve the same purpose, different rules may be required for different rulesets.