[olug] Firewall help

Lou Duchez lou at paprikash.com
Sun Apr 23 04:34:17 CDT 2017 

I'm from the far east Omaha suburbs -- most people would describe it as 
"Cleveland area" -- so the commute to the OLUG meetings is heck.  The 
beer is appreciated, though, but please drink it for me before it gets warm.

It occurs to me that, if you're building all your iptables rules from 
scratch, you'll want to flush all the rules first thing so you've got a 
blank slate:

$IP -F

And at the end, you can save all the rules you've built:

/sbin/iptables-save > /etc/sysconfig/iptables


> Sorry for the delayed response, my world is psychotic right now...April has
> been a month from heck!
>
> I will head onsite to give this a try in the next week or two.  I can't
> tell you how much I appreciate your willingness to assist!!!
>
> Do you ever make it out to the OLUG meeting?  I owe you a beer, and dinner
> as far as I am concerned...
>
> Thank you!!!
>
> Craig Wolf
> (402)990-3010
>
> Strengths: Activator, Relator, Adaptability, Learner, Achiever
>
> On Thu, Apr 20, 2017 at 4:56 PM, Lou Duchez <lou at paprikash.com> wrote:
>
>> Verdammt, I screwed up the Network Management rules because I am a
>> lummox.  Use the following instead:
>>
>> # "I need the Network Management to be able to reach into any network but
>> no network can reach into this one."
>>
>> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_WIRMAN -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_STAWIR -j ACCEPT
>> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_CLIWIR -j ACCEPT
>>
>>
>>
>> As in, iptables?  Here's how I might set it up.  I'm not saying much about
>>> your "nat" chain because I feel like you've got that part under control,
>>> but let me know if I should elaborate.
>>>
>>> ---
>>>
>>> #!/bin/bash
>>>
>>> # Here are constants you can change as required
>>>
>>> IP=/sbin/iptables
>>>
>>> VLAN_NETMAN=192.168.1.0/24
>>> VLAN_OFFICE=192.168.2.0/24
>>> VLAN_WIRMAN=192.168.3.0/24
>>> VLAN_STAWIR=192.168.4.0/24
>>> VLAN_CLIWIR=192.168.5.0/24
>>>
>>> ALLLOCALNETWORKS=192.168.0.0/16
>>>
>>>
>>> # set the defaults
>>>
>>> $IP -t filter -P INPUT   DROP
>>> $IP -t filter -P OUTPUT  ACCEPT
>>> $IP -t filter -P FORWARD DROP
>>>
>>> $IP -t nat -P PREROUTING  ACCEPT
>>> $IP -t nat -P POSTROUTING ACCEPT
>>> $IP -t nat -P OUTPUT      ACCEPT
>>>
>>> # quick evaluation that covers 99% of cases: accept any connections that
>>> were previously approved
>>>
>>> $IP -t filter -A INPUT   -m conntrack --ctstate RELATED,ESTABLISHED -j
>>> ACCEPT
>>> $IP -t filter -A OUTPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j
>>> ACCEPT
>>> $IP -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
>>> ACCEPT
>>> $IP -t nat    -A OUTPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j
>>> ACCEPT
>>>
>>> # now let's approve new connections
>>>
>>> # the easy-to-forget loopback rule
>>>
>>> $IP -t filter -A INPUT -i lo -j ACCEPT
>>>
>>>
>>> # probably should put some rules in here to make sure you can SSH into
>>> the box
>>>
>>> $IP -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
>>>
>>>
>>> # Internet (which is to say, none of the local networks -- depending on
>>> how messy your setup is, you might want to create a chain to identify local
>>> networks)
>>>
>>> $IP -t filter -A FORWARD -s $ALLLOCALNETWORKS -d ! $ALLLOCALNETWORKS -j
>>> ACCEPT
>>>
>>>
>>> # "I need the Network Management to be able to reach into any network but
>>> no network can reach into this one."
>>>
>>> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
>>> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_OFFICE -j ACCEPT
>>> $IP -t filter -A FORWARD -s $VLAN_WIRMAN -d $VLAN_OFFICE -j ACCEPT
>>> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
>>> $IP -t filter -A FORWARD -s $VLAN_CLIWIR -d $VLAN_OFFICE -j ACCEPT
>>>
>>>
>>> # "Office and Staff Wireless can intermingle but not touch Client."
>>>
>>> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_STAWIR -j ACCEPT
>>> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
>>>
>>>
>>> # "Client Wireless/Lab drops to Internet, no intermingling with any
>>> others."
>>> # (no positive rules need to be created for this)
>>>
>>>
>>> Hello folks!!  Been a long time since I had to do some "by hand" firewall
>>>> rules on a linux box (Ubiquiti EdgeX actually) and I am completely out of
>>>> my element.
>>>>
>>>> I have 5 VLAN's on the network:
>>>> Network Management
>>>> Office
>>>> Wireless Management
>>>> Staff Wireless
>>>> Client Wireless/Lab
>>>>
>>>> I need the Network Management to be able to reach into any network but no
>>>> network can reach into this one.
>>>> Office and Staff Wireless can intermingle but not touch Client.
>>>> Client Wireless/Lab drops to Internet, no intermingling with any others.
>>>>
>>>> Anyone's Google-Fu able to find me a close example?
>>>>
>>>> If not, anyone want to make a few bucks helping me write these rules??
>>>>
>>>> This is the final piece of a church setup I put in place that I would
>>>> like
>>>> to wrap up.
>>>>
>>>> Thank you!!
>>>>
>>>> Craig Wolf
>>>> (402)990-3010
>>>>
>>>> Strengths: Activator, Relator, Adaptability, Learner, Achiever
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list