Isolating a subnet



I need to allow public access to a web server on one computer on my network. I'm forwarding from the main firewall to the computer. The computer sits behind its own local router, and it's on its own physical subnet.

I think all I need to do is something like this at the local router:

iptables -A INPUT -p TCP !--syn --interface vlanX --destination 192.168.0.0/16 -J ACCEPT
iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
iptables -A INPUT --interface vlanX -J DROP

In other words, only allow returning http connections and returning connections from the local network (so I can get in with ssh).

Anyone see anything wrong with this?

--Yan
.



Relevant Pages

  • Re: Isolating a subnet
    ... The computer sits behind its own local router, and it's on its own physical subnet. ... only allow returning http connections and returning connections from the local network. ... It looks like you are using the wrong iptables chain here, use FORWARD instead of the current one, which is used to filter routing traffic assuming you are configuring your local router as noted on your post. ... Anyone trying to abuse your net can possibly generate packets that can bypass the firewall rules and reach your webserver. ...
    (comp.os.linux.security)
  • Re: Isolating a subnet
    ... The computer sits behind its own local router, and it's on its own physical subnet. ... only allow returning http connections and returning connections from the local network. ... It looks like you are using the wrong iptables chain here, use FORWARD instead of the current one, which is used to filter routing traffic assuming you are configuring your local router as noted on your post. ...
    (comp.os.linux.security)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Turn off all sharing and network discovery
    ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
    (microsoft.public.windowsxp.general)
  • Re: Turn off all sharing and network discovery
    ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
    (microsoft.public.windowsxp.general)