Isolate Subnet

Home Page Forums Network Management ZeroShell Isolate Subnet

This topic contains 2 replies, has 0 voices, and was last updated by  meggawhat 6 years, 9 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #43430

    meggawhat
    Member

    I have 2 subnets on 2 interfaces.

    ETH00 192.168.1.0/24 is RADIUS | for Employees
    ETH03 192.168.2.0/24 is WPA2 | for Guests.

    ETH01 is Internet…

    Default is DROP..
    I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0

    Both subnets can ping eachother and get to the internet WAN.

    But I want to *block* traffic coming from 192.168.2.0/24 from getting to through to 192.168.1.0/24.

    And *Allow* traffic coming from 192.168.1.0/24 to get to 192.168.2.0/24.

    Can someone help me with the firewall rule?

    #52436

    redfive
    Participant

    If ETH01 is directly connected to the internet( PPPoE ?), four simple rules in forward chain , with DROP as default policy , should be enough for a start config.

    1 ACCEPT     all  --  ETH00  *       192.168.1.0/24        0.0.0.0/0
    2 ACCEPT all -- ETH03 !ETH00 192.168.2.0/24 0.0.0.0/0
    3 ACCEPT all -- ETH03 ETH00 192.168.2.0/24 192.168.1.0/24 state RELATED,ESTABLISHED
    4 ACCEPT all -- ETH01 * 0.0.0.0/0 192.168.0.0/22 state RELATED,ESTABLISHED

    Default is DROP..
    I have the firewall set to Accept-Forward ETH00 and ETH03 to 0.0.0.0/0 -> 0.0.0.0/0

    and about ETH01 ?? return traffic seems not allowed…are you using proxy ??
    cheers
    jonatha

    #52437

    meggawhat
    Member

    Thanks for the code!
    Yes ETH01 is directly connected to the internet.
    I am using the Zeroshell transparent proxy and Clam AV.

    I don’t understand the reason for this one though…. I do not have a 192.168.0.0 subnet.

    ACCEPT all — ETH01 * 0.0.0.0/0 192.168.0.0/22 state RELATED,ESTABLISHED

    #52438

    redfive
    Participant

    Without a rule to permit the return traffic , only http traffic will be allowed, thanks to http proxy , but https traffic will be denied… The 192.168.0.0/22 is a manual-summarized network or supernet ( /22 mask is wider than /24 class C default mask) and the rule

    4 ACCEPT     all  --  ETH01  *       0.0.0.0/0             192.168.0.0/22    state RELATED,ESTABLISHED 

    will permit the return traffic to 0.0 ,1.0 , 2.0 and 3.0 . Obviously , having only the 1.0 and 2.0 networks , you can change the previous rule (#4) with these

    4 ACCEPT     all  --  ETH01  ETH00   0.0.0.0/0            192.168.1.0/24    state RELATED,ESTABLISHED
    5 ACCEPT all -- ETH01 ETH03 0.0.0.0/0 192.168.2.0/24 state RELATED,ESTABLISHED

    Also add some rules in INPUT chain would not be a bad idea
    cheers
    jonatha

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.