On Fri, 2003-07-04 at 17:54, Michal Kepien wrote: > >2. Both NIC1 and NIC3 Should be able to Connect VIA NIC2 to Internet. > >NIC1 Should be able to connect to NIC3 but NIC3 must not be ABLE to > >Connect to NIC1 's network > > NIC1 ---> eth0 > NIC2 ---> eth1 > NIC3 ---> eth2 > > NIC1's NETWORK: 192.168.0.0 > NIC3's NETWORK: 192.168.1.0 > # First, deny packets from NIC3 to NIC1 > iptables -A INPUT -i eth2 -s 192.168.1.0/24 -d 192.168.0.0/24 -j DROP This needs to be FORWARD chain, not INPUT. Since the traffic isn't destined for the firewall box itself, it goes to the FORWARD chain. > # Then, enable all other packets (needed for Internet access) > iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -j ACCEPT > iptables -A INPUT -i eth2 -s 192.168.1.0/24 -d 0.0.0.0/0 -j ACCEPT Same here. All these rules do is allow those two subnets to access the box itself, not the internet. > ######## OUTPUT rules ######## > # We don't need to deny the packets from NIC3 to NIC1 once more as > # every packet goes through the INPUT chain _first_ > > # Accept re-masqueraded packets for both networks > iptables -A OUTPUT -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/24 -j ACCEPT > iptables -A OUTPUT -o eth2 -s 0.0.0.0/0 -d 192.168.1.0/24 -j ACCEPT As above, this affects only traffic from the box itself, NOT forwarded traffic. > BTW - why is there no packet tester in iptables (like the 'ipchains > -C' command)? This little thing was _so_ useful... As I suspected from your misconception about forwarded traffic, you're an ipchains veteran... ;^) With iptables FORWARD traffic never touches the INPUT or OUTPUT chains, those are explicitly for INPUT and OUTPUT to and from the box itself. j
