Firewall Configuration – No internet, just internal networks

Home Page Forums Network Management Networking Firewall Configuration – No internet, just internal networks

This topic contains 3 replies, has 0 voices, and was last updated by  vapour 9 years, 11 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • #41485


    I have planned to deploy zeroshell to seal off our internal lab environment.

    Basically, I have 4 NICs, none of which is connected to the internet. I have them configured and traffic works fine as-is (although all ports open). I am trying to figure out the chains of FORWARD, INPUT and OUTPUT. By default, the policy is ACCEPT, thus everything is working. However, I want to have a policy of DENY, and only allow certain ports between segments.

    ETH00 – 192.168.0.x
    ETH01 – 192.168.10.x
    ETH02 – 192.168.20.x
    ETH03 – 192.168.30.x

    I want traffic from any segment to 192.168.0.x (any IP) only on ports 8222 and 8333. That would be good to begin. What rules to I add to what chains for this, assuming a default of DENY on the chain?



    It is a bad idea to make any of the default chains DENY.

    you should first make rules that allow traffic (there are almost always less things you want to allow then deny) and after that add deny rules. watch for sequences numbers.

    INPUT chain deals with traffic that has its destination the firewall IPs
    FORWARD chain deals with traffic that has its destiantion IPs different from firewalls
    OUTPUT chain deals with traffic coming from firewall

    this is simple explanation there are many other things to consider.

    for your exapmle:
    fwd chain
    input ETH00
    Protocol Matching: chose source or destination ports you want to allow
    for examle if you would allow http then you chose destination port 80 protocol tcp
    Action: allow

    hope this helps



    I left the INPUT and OUTPUT chains alone for now. Just want to get the FORWARD working. I created a rule to allow all RELATED traffic from each subnet to each other subnet. I then added a rule under FORWARD to allow tcp/8333 and tcp/8222 from ETH01 to ETH00. It seems to function ok. I am trying to figure out the logging part now so I can see if stuff is dropping/etc.

    Thanks for the reply!



    vapor, you are on the right track. I will strongly disagree with others who say the default should not be DENY. It will be the LAST rule in the chain and thus should be DENY.

    But, when you set your tables up you may want to do it like so:

    # Flush all the previous rules

    /sbin/iptables -F INPUT
    /sbin/iptables -F FORWARD
    /sbin/iptables -F OUTPUT

    # Disable all routing until rules are in place

    /sbin/iptables -P INPUT DENY
    /sbin/iptables -P FORWARD DENY
    /sbin/iptables -P OUTPUT DENY

    # Now, add the FORWARD rules

    /sbin/iptables -A FORWARD … becomes rule 2
    /sbin/iptables -A FORWARD … becomes rule 1

    #NOTE, each time you add a rule, it becomes the first one in the chain, so the DENY rule is indeed the default rule (3)

    # Lastly, allow the INPUT and OUTPUT traffic

    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT

    This is certainly not complete or an exhaustive description, you may want to look at:




    Thanks. What I did was add the rules that I wanted, set them to logging to make sure all the traffic I wanted was being hit by those rules, then set the default to be deny. Works fine so far I think.. 🙂

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.