Home Page › Forums › Network Management › ZeroShell › Isolate Subnet
This topic contains 2 replies, has 0 voices, and was last updated by meggawhat 6 years, 6 months ago.
-
AuthorPosts
-
August 25, 2012 at 1:45 am #43430
I have 2 subnets on 2 interfaces.
ETH00 192.168.1.0/24 is RADIUS | for Employees
ETH03 192.168.2.0/24 is WPA2 | for Guests.ETH01 is Internet…
Default is DROP..
I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0Both subnets can ping eachother and get to the internet WAN.
But I want to *block* traffic coming from 192.168.2.0/24 from getting to through to 192.168.1.0/24.
And *Allow* traffic coming from 192.168.1.0/24 to get to 192.168.2.0/24.
Can someone help me with the firewall rule?
August 25, 2012 at 4:40 pm #52436If ETH01 is directly connected to the internet( PPPoE ?), four simple rules in forward chain , with DROP as default policy , should be enough for a start config.
1 ACCEPT all -- ETH00 * 192.168.1.0/24 0.0.0.0/0
2 ACCEPT all -- ETH03 !ETH00 192.168.2.0/24 0.0.0.0/0
3 ACCEPT all -- ETH03 ETH00 192.168.2.0/24 192.168.1.0/24 state RELATED,ESTABLISHED
4 ACCEPT all -- ETH01 * 0.0.0.0/0 192.168.0.0/22 state RELATED,ESTABLISHED
Default is DROP..
I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0and about ETH01 ?? return traffic seems not allowed…are you using proxy ??
cheers
jonathaAugust 26, 2012 at 5:43 am #52437Thanks for the code!
Yes ETH01 is directly connected to the internet.
I am using the Zeroshell transparent proxy and Clam AV.I don’t understand the reason for this one though…. I do not have a 192.168.0.0 subnet.
ACCEPT all — ETH01 * 0.0.0.0/0 192.168.0.0/22 state RELATED,ESTABLISHED
August 26, 2012 at 11:20 am #52438Without a rule to permit the return traffic , only http traffic will be allowed, thanks to http proxy , but https traffic will be denied… The 192.168.0.0/22 is a manual-summarized network or supernet ( /22 mask is wider than /24 class C default mask) and the rule
4 ACCEPT all -- ETH01 * 0.0.0.0/0 192.168.0.0/22 state RELATED,ESTABLISHED
will permit the return traffic to 0.0 ,1.0 , 2.0 and 3.0 . Obviously , having only the 1.0 and 2.0 networks , you can change the previous rule (#4) with these
4 ACCEPT all -- ETH01 ETH00 0.0.0.0/0 192.168.1.0/24 state RELATED,ESTABLISHED
5 ACCEPT all -- ETH01 ETH03 0.0.0.0/0 192.168.2.0/24 state RELATED,ESTABLISHEDAlso add some rules in INPUT chain would not be a bad idea
cheers
jonatha -
AuthorPosts
You must be logged in to reply to this topic.