Firewall with one way routing

pelumu
2009-03-10
2013-03-05
  • pelumu

    pelumu - 2009-03-10

    Hi,

    I want to use my host as router and iptables firewall.

    For the following case I don't know how to create the correct rule(s):
    All workstations in the LAN should have access to service X in the internet.
    The firewall host itself should have no access to service X in the internet.
    The internet should have no access to service X on the firewall host and the LAN.

    Thanks for any help.

     
    • Vadim Kurland

      Vadim Kurland - 2009-03-10

      you build rules just like you describe them here. To permit all machines on LAN access to service X on the Internet, you put object that describes your LAN in "source" and object that describes service X in "Service" of  a policy rule and leave "destination" "any". To permit access to service X on the firewall, put firewall object in "destination". And so on. Rules are evaluated from top to bottom and the first rule that matches the packet stops processing. At the very bottom of the policy you put "catch all" rule with "any" in all three rule elements.

      You can start with one of the templates and edit rules, this might be simpler. See these tutorials:

      http://www.fwbuilder.org/slideshows/brief_introduction/slide_1.html
      http://www.fwbuilder.org/slideshows/tutorial_3/slide_1.html

       
      • pelumu

        pelumu - 2009-03-10

        All tutorials, howtos and so on I have yet read, but all practical start is diffcult.

        Could the following be right:

        Rule 0:
        Source: LAN
        Destination: not Firewall, not LAN
        Service: X
        Interface: internal net
        Direction: inbound
        Action: accept

        Rule 1:
        catch all with action deny

        All workstations in the LAN should have access to service X in the internet. -> Rule 0

        The firewall host itself should have no access to service X in the internet. -> No Rule for that and so no access to service x in the internet.

        The internet should have no access to service X on the firewall host and the LAN. -> No rule for external net interface and so no access from internet to firewall host.

        Is that so ok?

         
        • Vadim Kurland

          Vadim Kurland - 2009-03-10

          this should work.

           
    • pelumu

      pelumu - 2009-03-10

      All tutorials, howtos and so on I have yet read, but all practical start is diffcult.

      Could the following be right:

      Rule 0:
      Source: LAN
      Destination: not Firewall, not LAN
      Service: X
      Interface: internal net
      Direction: inbound
      Action: accept

      Rule 1:
      catch all  with action deny

      All workstations in the LAN should have access to service X in the internet. -> Rule 0

      The firewall host itself should have no access to service X in the internet. -> No Rule for that and so no access to service x in the internet.

      The internet should have no access to service X on the firewall host and the LAN. -> No rule for external net interface and so no access from internet to firewall host.

      Is that so ok?

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks