Hello All,
I'm having a bit of trouble setting up a linux router with two private subnets. Each subnet can access the internet, but they cannot communicate with each other. I've include my rules. Any and all advice would be greatly appreciated.
Thanks in advance, -G
### setup networking ############################################ LAN_IP1="10.10.10.1/24"
LAN_IP2="10.10.11.254/24"
echo "Bringing down interfaces"
# bring down interfaces
ip link set $WAN_IFACE down
ip link set $LAN_IFACE1 down
ip link set $LAN_IFACE2 down
echo "Setting interface addresses"
# set interface addresses
ip addr add $WAN_IP dev $WAN_IFACE
ip addr add $LAN_IP1 dev $LAN_IFACE1
ip addr add $LAN_IP2 dev $LAN_IFACE2
echo "Cleanup iptables"
# clean up the tables
iptables -F
iptables -X
iptables -Z
echo "Setting default policies"
# Set the default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "Bringing up interfaces"
# bring up interfaces
ip link set $WAN_IFACE up
ip link set $LAN_IFACE1 up
ip link set $LAN_IFACE2 up
echo "Adding default route"
# add default route
ip route add default via $INET_ROUTER dev eth0
echo "Enable forwarding"
# Enable ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
### setup firewall
#######################################################
# Let stuff on the local loopback through
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo "Setup SNAT..."
# Source NAT
iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -j SNAT --to $WAN_IP
echo "Accept internal addresses"
# packets with valid internal address are accepted on $LAN_IFACE
iptables -t mangle -A PREROUTING -i $LAN_IFACE1 -s $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
iptables -t mangle -A PREROUTING -i $LAN_IFACE2 -s $INTERNAL_ADDRESS_RANGE2 -j ACCEPT
#iptables -t mangle -A PREROUTING -i $LAN_IFACE1 -s $INTERNAL_ADDRESS_RANGE2 -j ACCEPT
#iptables -t mangle -A PREROUTING -i $LAN_IFACE2 -s $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
# no packets with $LAN_IP accepted on $WAN_IFACE
iptables -t mangle -A PREROUTING -i $WAN_IFACE -s $INTERNAL_ADDRESS_RANGE1 -j DROP
iptables -t mangle -A PREROUTING -i $WAN_IFACE -s $INTERNAL_ADDRESS_RANGE2 -j DROP
# allow connections to firewall from LAN
iptables -A INPUT -p ALL -i $LAN_IFACE1 -s $INTERNAL_ADDRESS_RANGE1 -d $LAN_BCAST_ADDRESS1 -j ACCEPT
iptables -A INPUT -p ALL -i $LAN_IFACE2 -s $INTERNAL_ADDRESS_RANGE2 -d $LAN_BCAST_ADDRESS2 -j ACCEPT
iptables -A OUTPUT -o $WAN_IFACE -j ACCEPT
# First off, allow through standard subnet-subnet traffic. It doesn't need
# to be logged, so get it out of there
# Accept the traffic to and from the subnets
iptables -A FORWARD -p all -s $INTERNAL_ADDRESS_RANGE1 -d $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE2 -d $INTERNAL_ADDRESS_RANGE2 -j ACCEPT
#iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE1 -d $INTERNAL_ADDRESS_RANGE2 -j ACCEPT
#iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE2 -d $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
# Put in a syn flood rule to stop people from a DOS attack
# Commented out while testing things
iptables -N syn-flood
iptables -A FORWARD -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Allow new connections out (And logged for interest sake)
#iptables -A FORWARD -p tcp -s $INTERNAL_ADDRESS_RANGE --syn -m state --state NEW -j LOG --log-prefix "New connection: "
iptables -A FORWARD -p tcp -s $INTERNAL_ADDRESS_RANGE1 --syn -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -s $INTERNAL_ADDRESS_RANGE2 --syn -m state --state NEW -j ACCEPT
# allow all DNS traffic out
iptables -A FORWARD -p udp -s $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
iptables -A FORWARD -p udp -s $INTERNAL_ADDRESS_RANGE2 -j ACCEPT
# And accept established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Also don't allow fragments - they're bad
iptables -A FORWARD -f -j LOG --log-prefix "IP Fragment: "
iptables -A FORWARD -f -j DROP
# Allow ping out (but not in)
iptables -A FORWARD -p icmp -s $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
iptables -A FORWARD -p icmp -s $INTERNAL_ADDRESS_RANGE2 -j ACCEPT
# And in this bit we'll put the things we do allow in
# Allow web requests to web server
iptables -A FORWARD -p tcp -d $WWW --dport 80 -j ACCEPT
# FTP connections to ftp server
iptables -A FORWARD -p tcp -d $FTP --dport 21 -j ACCEPT
# Allow incoming mail
iptables -A FORWARD -p tcp -d $MAIL --dport 25 -j ACCEPT
# DNS lookups to DNS
iptables -A FORWARD -p tcp -d $DNSa --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -d $DNSa --dport 53 -j ACCEPT
# And DNS requests to Secondary DNS
iptables -A FORWARD -p tcp -d $DNSb --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -d $DNSb --dport 53 -j ACCEPT
# Log and drop stuff
iptables -A FORWARD -p tcp -j LOG --log-prefix "Dropped TCP: "
iptables -A FORWARD -p tcp -j DROP
iptables -A FORWARD -p udp -j LOG --log-prefix "Dropped UDP: "
iptables -A FORWARD -p udp -j DROP
iptables -A FORWARD -p icmp -j LOG --log-prefix "Dropped ICMP: "
iptables -A FORWARD -p icmp -j DROP
# This is to really make sure things disappear
iptables -A FORWARD -j LOG --log-prefix "End Forward chain - Dropped: "
iptables -A FORWARD -j DROP