[olug] Firewall help
Lou Duchez
lou at paprikash.com
Thu Apr 20 16:51:32 CDT 2017
As in, iptables? Here's how I might set it up. I'm not saying much
about your "nat" chain because I feel like you've got that part under
control, but let me know if I should elaborate.
---
#!/bin/bash
# Here are constants you can change as required
IP=/sbin/iptables
VLAN_NETMAN=192.168.1.0/24
VLAN_OFFICE=192.168.2.0/24
VLAN_WIRMAN=192.168.3.0/24
VLAN_STAWIR=192.168.4.0/24
VLAN_CLIWIR=192.168.5.0/24
ALLLOCALNETWORKS=192.168.0.0/16
# set the defaults
$IP -t filter -P INPUT DROP
$IP -t filter -P OUTPUT ACCEPT
$IP -t filter -P FORWARD DROP
$IP -t nat -P PREROUTING ACCEPT
$IP -t nat -P POSTROUTING ACCEPT
$IP -t nat -P OUTPUT ACCEPT
# quick evaluation that covers 99% of cases: accept any connections that
were previously approved
$IP -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
$IP -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
$IP -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
$IP -t nat -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
# now let's approve new connections
# the easy-to-forget loopback rule
$IP -t filter -A INPUT -i lo -j ACCEPT
# probably should put some rules in here to make sure you can SSH into
the box
$IP -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# Internet (which is to say, none of the local networks -- depending on
how messy your setup is, you might want to create a chain to identify
local networks)
$IP -t filter -A FORWARD -s $ALLLOCALNETWORKS -d ! $ALLLOCALNETWORKS -j
ACCEPT
# "I need the Network Management to be able to reach into any network
but no network can reach into this one."
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_OFFICE -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_WIRMAN -d $VLAN_OFFICE -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_CLIWIR -d $VLAN_OFFICE -j ACCEPT
# "Office and Staff Wireless can intermingle but not touch Client."
$IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_STAWIR -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
# "Client Wireless/Lab drops to Internet, no intermingling with any others."
# (no positive rules need to be created for this)
> Hello folks!! Been a long time since I had to do some "by hand" firewall
> rules on a linux box (Ubiquiti EdgeX actually) and I am completely out of
> my element.
>
> I have 5 VLAN's on the network:
> Network Management
> Office
> Wireless Management
> Staff Wireless
> Client Wireless/Lab
>
> I need the Network Management to be able to reach into any network but no
> network can reach into this one.
> Office and Staff Wireless can intermingle but not touch Client.
> Client Wireless/Lab drops to Internet, no intermingling with any others.
>
> Anyone's Google-Fu able to find me a close example?
>
> If not, anyone want to make a few bucks helping me write these rules??
>
> This is the final piece of a church setup I put in place that I would like
> to wrap up.
>
> Thank you!!
>
> Craig Wolf
> (402)990-3010
>
> Strengths: Activator, Relator, Adaptability, Learner, Achiever
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
More information about the OLUG
mailing list