[olug] Firewall help
Lou Duchez
lou at paprikash.com
Thu Apr 20 16:56:11 CDT 2017
Verdammt, I screwed up the Network Management rules because I am a
lummox. Use the following instead:
# "I need the Network Management to be able to reach into any network
but no network can reach into this one."
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_WIRMAN -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_STAWIR -j ACCEPT
$IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_CLIWIR -j ACCEPT
> As in, iptables? Here's how I might set it up. I'm not saying much
> about your "nat" chain because I feel like you've got that part under
> control, but let me know if I should elaborate.
>
> ---
>
> #!/bin/bash
>
> # Here are constants you can change as required
>
> IP=/sbin/iptables
>
> VLAN_NETMAN=192.168.1.0/24
> VLAN_OFFICE=192.168.2.0/24
> VLAN_WIRMAN=192.168.3.0/24
> VLAN_STAWIR=192.168.4.0/24
> VLAN_CLIWIR=192.168.5.0/24
>
> ALLLOCALNETWORKS=192.168.0.0/16
>
>
> # set the defaults
>
> $IP -t filter -P INPUT DROP
> $IP -t filter -P OUTPUT ACCEPT
> $IP -t filter -P FORWARD DROP
>
> $IP -t nat -P PREROUTING ACCEPT
> $IP -t nat -P POSTROUTING ACCEPT
> $IP -t nat -P OUTPUT ACCEPT
>
> # quick evaluation that covers 99% of cases: accept any connections
> that were previously approved
>
> $IP -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
> $IP -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
> $IP -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
> $IP -t nat -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
>
> # now let's approve new connections
>
> # the easy-to-forget loopback rule
>
> $IP -t filter -A INPUT -i lo -j ACCEPT
>
>
> # probably should put some rules in here to make sure you can SSH into
> the box
>
> $IP -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
>
>
> # Internet (which is to say, none of the local networks -- depending
> on how messy your setup is, you might want to create a chain to
> identify local networks)
>
> $IP -t filter -A FORWARD -s $ALLLOCALNETWORKS -d ! $ALLLOCALNETWORKS
> -j ACCEPT
>
>
> # "I need the Network Management to be able to reach into any network
> but no network can reach into this one."
>
> $IP -t filter -A FORWARD -s $VLAN_NETMAN -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_WIRMAN -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_CLIWIR -d $VLAN_OFFICE -j ACCEPT
>
>
> # "Office and Staff Wireless can intermingle but not touch Client."
>
> $IP -t filter -A FORWARD -s $VLAN_OFFICE -d $VLAN_STAWIR -j ACCEPT
> $IP -t filter -A FORWARD -s $VLAN_STAWIR -d $VLAN_OFFICE -j ACCEPT
>
>
> # "Client Wireless/Lab drops to Internet, no intermingling with any
> others."
> # (no positive rules need to be created for this)
>
>
>> Hello folks!! Been a long time since I had to do some "by hand"
>> firewall
>> rules on a linux box (Ubiquiti EdgeX actually) and I am completely
>> out of
>> my element.
>>
>> I have 5 VLAN's on the network:
>> Network Management
>> Office
>> Wireless Management
>> Staff Wireless
>> Client Wireless/Lab
>>
>> I need the Network Management to be able to reach into any network
>> but no
>> network can reach into this one.
>> Office and Staff Wireless can intermingle but not touch Client.
>> Client Wireless/Lab drops to Internet, no intermingling with any others.
>>
>> Anyone's Google-Fu able to find me a close example?
>>
>> If not, anyone want to make a few bucks helping me write these rules??
>>
>> This is the final piece of a church setup I put in place that I would
>> like
>> to wrap up.
>>
>> Thank you!!
>>
>> Craig Wolf
>> (402)990-3010
>>
>> Strengths: Activator, Relator, Adaptability, Learner, Achiever
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
More information about the OLUG
mailing list