[olug] Firewall help

Lou Duchez lou at paprikash.com
Thu Apr 20 16:56:11 CDT 2017


Verdammt, I screwed up the Network Management rules because I am a 
lummox.  Use the following instead:

# "I need the Network Management to be able to reach into any network 
but no network can reach into this one."

$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_WIRMAN -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_STAWIR -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_CLIWIR -j ACCEPT


> As in, iptables?  Here's how I might set it up.  I'm not saying much 
> about your "nat" chain because I feel like you've got that part under 
> control, but let me know if I should elaborate.
>
> ---
>
> #!/bin/bash
>
> # Here are constants you can change as required
>
> IP=/sbin/iptables
>
> VLAN_NETMAN=192.168.1.0/24
> VLAN_OFFICE=192.168.2.0/24
> VLAN_WIRMAN=192.168.3.0/24
> VLAN_STAWIR=192.168.4.0/24
> VLAN_CLIWIR=192.168.5.0/24
>
> ALLLOCALNETWORKS=192.168.0.0/16
>
>
> # set the defaults
>
> $IP -t filter -P INPUT   DROP
> $IP -t filter -P OUTPUT  ACCEPT
> $IP -t filter -P FORWARD DROP
>
> $IP -t nat -P PREROUTING  ACCEPT
> $IP -t nat -P POSTROUTING ACCEPT
> $IP -t nat -P OUTPUT      ACCEPT
>
> # quick evaluation that covers 99% of cases: accept any connections 
> that were previously approved
>
> $IP -t filter -A INPUT   -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT
> $IP -t filter -A OUTPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT
> $IP -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT
> $IP -t nat    -A OUTPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT
>
> # now let's approve new connections
>
> # the easy-to-forget loopback rule
>
> $IP -t filter -A INPUT -i lo -j ACCEPT
>
>
> # probably should put some rules in here to make sure you can SSH into 
> the box
>
> $IP -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
>
>
> # Internet (which is to say, none of the local networks -- depending 
> on how messy your setup is, you might want to create a chain to 
> identify local networks)
>
> $IP -t filter -A FORWARD -s $ALLLOCALNETWORKS -d ! $ALLLOCALNETWORKS 
> -j ACCEPT
>
>
> # "I need the Network Management to be able to reach into any network 
> but no network can reach into this one."
>
> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_WIRMAN -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_CLIWIR -d $VLAN_OFFICE -j ACCEPT
>
>
> # "Office and Staff Wireless can intermingle but not touch Client."
>
> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_STAWIR -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
>
>
> # "Client Wireless/Lab drops to Internet, no intermingling with any 
> others."
> # (no positive rules need to be created for this)
>
>
>> Hello folks!!  Been a long time since I had to do some "by hand" 
>> firewall
>> rules on a linux box (Ubiquiti EdgeX actually) and I am completely 
>> out of
>> my element.
>>
>> I have 5 VLAN's on the network:
>> Network Management
>> Office
>> Wireless Management
>> Staff Wireless
>> Client Wireless/Lab
>>
>> I need the Network Management to be able to reach into any network 
>> but no
>> network can reach into this one.
>> Office and Staff Wireless can intermingle but not touch Client.
>> Client Wireless/Lab drops to Internet, no intermingling with any others.
>>
>> Anyone's Google-Fu able to find me a close example?
>>
>> If not, anyone want to make a few bucks helping me write these rules??
>>
>> This is the final piece of a church setup I put in place that I would 
>> like
>> to wrap up.
>>
>> Thank you!!
>>
>> Craig Wolf
>> (402)990-3010
>>
>> Strengths: Activator, Relator, Adaptability, Learner, Achiever
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug


More information about the OLUG mailing list