Re: iptables firewall with 3 networks

From: Micheal Robert Zium (mrozium_at_XSPAMX-yahoo.com)
Date: 09/22/04

• Next message: Anon: "Re: What runs on port 2500"
• Previous message: Duane Arnold: "Re: What runs on port 2500"
• In reply to: JP: "iptables firewall with 3 networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 21 Sep 2004 21:38:35 -0500

JP wrote:

>Hi,
>
>I've been tasked with creating a firewall on a linux system using iptables
>and locking the system down as much as possible, I've done some simple
>firewall rules before but that was a little easier as it had an internet
>connection and a LAN, it was also quite a few years ago.

Quite a few years ago, you were probably using IPChains. :)

> Corporate LAN eth0 10.1.1.1
> Support LAN eth1 172.16.1.1
> Customer LAN eth2 192.168.1.1
>
>The Corporate LAN must be able to get to the Support LAN and the Customer
>LAN.

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 22:23 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -p tcp --dport 22:23 -j ACCEPT
You'll also want stateful protection for returning packets:
iptables -A FORWARD -i eth1 -o eth0 -m state --state \
ESTABLISHED,RELATED -j ACCEPT, etc. Depending on how devious your
internal users are, there are some other things you may want to add,
such as spoof protection and SYN checking, to name a couple.

>The Support LAN will need access to the Customer LAN but should not be able
>to get back thru to the Corporate LAN.

iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22:23 -j ACCEPT

>The Customer LAN should not be able to get back to either the Support LAN or
>the Corporate LAN.

No rules needed, if you have a proper REJECT or DROP default rule.

>All I have in my head at the moment is splitting each interface into
>input/output rules but it sounds (to me) far too complicated than it needs
>to be. Can anyone give me an idea where to start? I'd like it to be as
>simple as possible so it's easy to manage.

The only input rules you want is to access services run _on_ the
firewall. Most likely, that would be eth0. As far as output rules
go, why would you want to access anything _from_ the firewall?

>We will be using mainly telnet and ssh to access various systems among the
>three networks.

Ssh is good. Telnet only on trusted LANs.

---

• Next message: Anon: "Re: What runs on port 2500"
• Previous message: Duane Arnold: "Re: What runs on port 2500"
• In reply to: JP: "iptables firewall with 3 networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: AD behind a firewall ... | We have an Active Directory that is used for applications, ... | firewall ports I need to open up. ... (microsoft.public.win2000.active_directory) Re: (slightly OT) IPSec with dynamic IP ... Fernando Gleiser wrote: ... > I need to set up a VPN between a corporate LAN and roaming users. ... > firewall is a FreeBSD 4.7 box with ipf/ipnat and will act as a security ... with "unsubscribe freebsd-security" in the body of the message ... (FreeBSD-Security) RE: AW: Two VPN clients on one computer ... Is it on a 'home' pc or is it on a corporate LAN? ... If its on a LAN why not setup firewall to firewall VPN's? ... Subject: AW: Two VPN clients on one computer ... (Security-Basics) AD behind a firewall ... We have an Active Directory that is used for applications, ... firewall ports I need to open up. ... (microsoft.public.win2000.active_directory) Re: Linux falls off DMZ ... Rick Wezowicz wrote: ... > minutes the computer just disappears from beyond the firewall. ... > isn't the physical server. ... on on your linux system. ... (comp.os.linux.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)