Isolate Subnet

Home Page Forums Network Management ZeroShell Isolate Subnet

This topic contains 2 replies, has 0 voices, and was last updated by  meggawhat 7 years, 3 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • August 25, 2012 at 1:45 am #43430

    meggawhat
    Member

    I have 2 subnets on 2 interfaces.

    ETH00 192.168.1.0/24 is RADIUS | for Employees
    ETH03 192.168.2.0/24 is WPA2 | for Guests.

    ETH01 is Internet…

    Default is DROP..
    I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0

    Both subnets can ping eachother and get to the internet WAN.

    But I want to *block* traffic coming from 192.168.2.0/24 from getting to through to 192.168.1.0/24.

    And *Allow* traffic coming from 192.168.1.0/24 to get to 192.168.2.0/24.

    Can someone help me with the firewall rule?

    August 25, 2012 at 4:40 pm #52436

    redfive
    Participant

    If ETH01 is directly connected to the internet( PPPoE ?), four simple rules in forward chain , with DROP as default policy , should be enough for a start config. 

    1 ACCEPT     all  --  ETH00  *       192.168.1.0/24        0.0.0.0/0
    
2 ACCEPT     all  --  ETH03  !ETH00  192.168.2.0/24        0.0.0.0/0
    
3 ACCEPT     all  --  ETH03  ETH00   192.168.2.0/24        192.168.1.0/24    state RELATED,ESTABLISHED
    
4 ACCEPT     all  --  ETH01  *       0.0.0.0/0             192.168.0.0/22    state RELATED,ESTABLISHED

    Default is DROP..
    I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0

    and about ETH01 ?? return traffic seems not allowed…are you using proxy ??
    cheers
    jonatha

    August 26, 2012 at 5:43 am #52437

    meggawhat
    Member

    Thanks for the code!
    Yes ETH01 is directly connected to the internet.
    I am using the Zeroshell transparent proxy and Clam AV.

    I don’t understand the reason for this one though…. I do not have a 192.168.0.0 subnet.

    ACCEPT all — ETH01 * 0.0.0.0/0 192.168.0.0/22 state RELATED,ESTABLISHED

    August 26, 2012 at 11:20 am #52438

    redfive
    Participant

    Without a rule to permit the return traffic , only http traffic will be allowed, thanks to http proxy , but https traffic will be denied… The 192.168.0.0/22 is a manual-summarized network or supernet ( /22 mask is wider than /24 class C default mask) and the rule

    4 ACCEPT     all  --  ETH01  *       0.0.0.0/0             192.168.0.0/22    state RELATED,ESTABLISHED

    will permit the return traffic to 0.0 ,1.0 , 2.0 and 3.0 . Obviously , having only the 1.0 and 2.0 networks , you can change the previous rule (#4) with these

    4 ACCEPT     all  --  ETH01  ETH00   0.0.0.0/0            192.168.1.0/24    state RELATED,ESTABLISHED
    
5 ACCEPT     all  --  ETH01  ETH03   0.0.0.0/0            192.168.2.0/24    state RELATED,ESTABLISHED

    Also add some rules in INPUT chain would not be a bad idea
    cheers
    jonatha

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.