[olug] Firewall help

Craig Wolf wolfout101 at gmail.com
Sun Apr 23 04:01:12 CDT 2017 

Sorry for the delayed response, my world is psychotic right now...April has
been a month from heck!

I will head onsite to give this a try in the next week or two.  I can't
tell you how much I appreciate your willingness to assist!!!

Do you ever make it out to the OLUG meeting?  I owe you a beer, and dinner
as far as I am concerned...

Thank you!!!

Craig Wolf
(402)990-3010

Strengths: Activator, Relator, Adaptability, Learner, Achiever

On Thu, Apr 20, 2017 at 4:56 PM, Lou Duchez <lou at paprikash.com> wrote:

> Verdammt, I screwed up the Network Management rules because I am a
> lummox.  Use the following instead:
>
> # "I need the Network Management to be able to reach into any network but
> no network can reach into this one."
>
> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_WIRMAN -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_STAWIR -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_CLIWIR -j ACCEPT
>
>
>
> As in, iptables?  Here's how I might set it up.  I'm not saying much about
>> your "nat" chain because I feel like you've got that part under control,
>> but let me know if I should elaborate.
>>
>> ---
>>
>> #!/bin/bash
>>
>> # Here are constants you can change as required
>>
>> IP=/sbin/iptables
>>
>> VLAN_NETMAN=192.168.1.0/24
>> VLAN_OFFICE=192.168.2.0/24
>> VLAN_WIRMAN=192.168.3.0/24
>> VLAN_STAWIR=192.168.4.0/24
>> VLAN_CLIWIR=192.168.5.0/24
>>
>> ALLLOCALNETWORKS=192.168.0.0/16
>>
>>
>> # set the defaults
>>
>> $IP -t filter -P INPUT   DROP
>> $IP -t filter -P OUTPUT  ACCEPT
>> $IP -t filter -P FORWARD DROP
>>
>> $IP -t nat -P PREROUTING  ACCEPT
>> $IP -t nat -P POSTROUTING ACCEPT
>> $IP -t nat -P OUTPUT      ACCEPT
>>
>> # quick evaluation that covers 99% of cases: accept any connections that
>> were previously approved
>>
>> $IP -t filter -A INPUT   -m conntrack --ctstate RELATED,ESTABLISHED -j
>> ACCEPT
>> $IP -t filter -A OUTPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j
>> ACCEPT
>> $IP -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
>> ACCEPT
>> $IP -t nat    -A OUTPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j
>> ACCEPT
>>
>> # now let's approve new connections
>>
>> # the easy-to-forget loopback rule
>>
>> $IP -t filter -A INPUT -i lo -j ACCEPT
>>
>>
>> # probably should put some rules in here to make sure you can SSH into
>> the box
>>
>> $IP -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
>>
>>
>> # Internet (which is to say, none of the local networks -- depending on
>> how messy your setup is, you might want to create a chain to identify local
>> networks)
>>
>> $IP -t filter -A FORWARD -s $ALLLOCALNETWORKS -d ! $ALLLOCALNETWORKS -j
>> ACCEPT
>>
>>
>> # "I need the Network Management to be able to reach into any network but
>> no network can reach into this one."
>>
>> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_OFFICE -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_WIRMAN -d $VLAN_OFFICE -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_CLIWIR -d $VLAN_OFFICE -j ACCEPT
>>
>>
>> # "Office and Staff Wireless can intermingle but not touch Client."
>>
>> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_STAWIR -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
>>
>>
>> # "Client Wireless/Lab drops to Internet, no intermingling with any
>> others."
>> # (no positive rules need to be created for this)
>>
>>
>> Hello folks!!  Been a long time since I had to do some "by hand" firewall
>>> rules on a linux box (Ubiquiti EdgeX actually) and I am completely out of
>>> my element.
>>>
>>> I have 5 VLAN's on the network:
>>> Network Management
>>> Office
>>> Wireless Management
>>> Staff Wireless
>>> Client Wireless/Lab
>>>
>>> I need the Network Management to be able to reach into any network but no
>>> network can reach into this one.
>>> Office and Staff Wireless can intermingle but not touch Client.
>>> Client Wireless/Lab drops to Internet, no intermingling with any others.
>>>
>>> Anyone's Google-Fu able to find me a close example?
>>>
>>> If not, anyone want to make a few bucks helping me write these rules??
>>>
>>> This is the final piece of a church setup I put in place that I would
>>> like
>>> to wrap up.
>>>
>>> Thank you!!
>>>
>>> Craig Wolf
>>> (402)990-3010
>>>
>>> Strengths: Activator, Relator, Adaptability, Learner, Achiever
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list