iptables configuration

[bkesting]

I have a new question about iptables.

I have a router/internet gateway that has several different networks connected to it. There is 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24. The 192.168.2.0/24 network has a branch router of 192.168.2.30 that is connected to a 192.168.10.0/24 network. I would like to block access of the 192.168.10.0 network to the 192.168.1.0 network. What type of iptables command would I use on my gateway/router to do this?

Something like this:

iptables -A INPUT -s 192.168.2.30 -i eth2 -p all -d 192.168.1.0/24 -j DROP

[gr8rcake]

As the traffic isn't destined for the firewall the INPUT isn't correct, it should be FORWARD instead. FORWARD is used for routing traffic through the firewall.

Code:

iptables -A FORWARD -s 192.168.10.0/24 -i eth2 -p all -d 192.168.1.0/24 -j DROP

The traffic isn't coming from the 192.168.2.30 router IP address, but the 192.168.10.0/24 network, so there should be no reference to 192.168.2.30. Unless NAT is involved, routers / firewalls do not change the source / destination IP address of the packets.

To simplify the rule you could also delete the reference to the interfaces.

Code:

iptables -A FORWARD -s 192.168.10.0/24 -p all -d 192.168.1.0/24 -j DROP

You should also consider logging dropped packets to make troubleshooting easier.

Hope this helps.

[bkesting]

That worked perfectly.....thanks.