Beginner Question on restricting traffic within the same subnet.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there,

Normally I think of firewalls as controlling packet flows that pass
through it (for example:Internet to Intranet).

Can netfilter also control traffic on the same subnet? Is this a
typical thing to do, or is it more normal to deploy local hosted
firewalls also on machines?

Suppose I had the following set up:
Internal Machines 1,2 and 3 are on the same subnet governed by the
netfilter firewall.

                                           ---------- Machine1
Internet ------ Netfilter Firewall ---------- Machine2
                                           ---------- Machine3

Suppose I don't want Machine1 communicating with Machine3. Assume eth0
is internal Netfilter interface. All machines are in the same subnet.
The Netfiler Firewall can be considered to also have typical linux box
with router capabilities.

Is it normal to have the firewall restrict this kind of local subnet
access even though it does not technically leave the network?

Would the rules be as follows:

iptables -A FORWRD -i eth0 -s Machine1IP -d Machine3IP -j DROP
iptables -A FORWRD -o eth0 -s Machine1IP -d Machine3IP -j DROP
iptables -A FORWRD -i eth0 -s Machine3IP -d Machine1IP -j DROP /*
redundant to previous rules? */
iptables -A FORWRD -o eth0 -s Machine3IP -d Machine1IP -j DROP /*
redundant to previous rules? */
iptables -A FORWRD -i eth0 -s anyIP -d anyIP -j ACCEPT /* allow
Machine1 talk to Machine2 and vice versa. Allow Machine3 talk to
Machine2 and vice versa.*/
iptables -A FORWRD -o eth0 -s anyIP -d any3IP -j ACCEPT /* allow
Machine1 talk to Machine2 and vice versa. Allow Machine3 talk to
Machine2 and vice versa.*/
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux