quddusa
asked on
IPTables/Firewall setup for a linux gateway
I need some help on the iptables to block incomming and outgoing for various types of traffic on diffrent intferfaces
but would like to allow few types for routing between these ports
Below is my scnario
PC with Ubuntu installed have 3 ethernet ports
Eth0 10.xx.xx.xx connected to a machine 10.xx.xx.xx
Eth1 90.xx.xx.xx connected to internet
Eth2 192.xx.xx.xx connected to a machine on internal network
route incomming SSH traffic from a domain name on eth1 towards eth0 where connected machine (IP) should recieve the request and drop all other incomming communications on eth1, but allow all outgoing communication
Eth2 should be able to communicate to eth0 only but etho and eth1 must not be able to communicate to eth2.
i have tried my best to depict my scnario but please ask if i left something.
thanks figure.pdf
but would like to allow few types for routing between these ports
Below is my scnario
PC with Ubuntu installed have 3 ethernet ports
Eth0 10.xx.xx.xx connected to a machine 10.xx.xx.xx
Eth1 90.xx.xx.xx connected to internet
Eth2 192.xx.xx.xx connected to a machine on internal network
route incomming SSH traffic from a domain name on eth1 towards eth0 where connected machine (IP) should recieve the request and drop all other incomming communications on eth1, but allow all outgoing communication
Eth2 should be able to communicate to eth0 only but etho and eth1 must not be able to communicate to eth2.
i have tried my best to depict my scnario but please ask if i left something.
thanks figure.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Mcc,
thanks for the prompt reply
just to be on the safe side
eth0 to eth2, communication should be blocked.
eth2 to eth0 communication should be allowed.
eth2 should be blocked to access eth1
communication comming on eth2 should be forwarded to machine IP on eth0 (something similar to rule one)
Besides this do we need to setup the routes manually to have it working more efficiently.
thanks for the prompt reply
just to be on the safe side
eth0 to eth2, communication should be blocked.
eth2 to eth0 communication should be allowed.
eth2 should be blocked to access eth1
communication comming on eth2 should be forwarded to machine IP on eth0 (something similar to rule one)
Besides this do we need to setup the routes manually to have it working more efficiently.
ASKER
eth2 should be blocked to access eth1 and vice versa
guddusa,
Anything that is not allowed is dropped (or rejected on eth2).
eth0 -> eth2 isn't mentioned ==> blocked
eth2 -> eth0 is mentioned so allowed
anything from eth2 is rejected
eth1 -> eth2 isn't mentioned ==> blocked.
You have to keep in mind that ALL rules mentioned are tried on all packets passing until a match is found so adding rules means adding a slight delay for every test that fails...
Anything that is not allowed is dropped (or rejected on eth2).
eth0 -> eth2 isn't mentioned ==> blocked
eth2 -> eth0 is mentioned so allowed
anything from eth2 is rejected
eth1 -> eth2 isn't mentioned ==> blocked.
You have to keep in mind that ALL rules mentioned are tried on all packets passing until a match is found so adding rules means adding a slight delay for every test that fails...
ASKER
I am expecting to have eth1 --> eth2 blocked and vise versa
Simply eth2 should not have any communication with eth1 in any direction
do we need antoher rule for this !
You need to keep in mind that the order of these rules matter. A packet falls through from the top until a rule matches and "jumps" to the target of that rule. So, if there is an ACCEPT rule that matches, it will be ACCEPTed. If not the packet will fall through to either be REJECTed if coming from eth2 or completely DROPped if coming from elsewhere.
Your blocking happens with the REJECT and DROP rules. DROPping the packet does just that. It drops the packet as if it never came in with no reply. A REJECT sends back an error packet to the originator of the packet, but still blocks the traffic.
Your blocking happens with the REJECT and DROP rules. DROPping the packet does just that. It drops the packet as if it never came in with no reply. A REJECT sends back an error packet to the originator of the packet, but still blocks the traffic.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
an incomplete solution becuase of the missing information.
http://fail2ban.sourceforge.net/
to block repeated attempts of breakin...