-1

I have network A (remote) and network B (local).

Network B needs to be able to access network A, but nobody should be able to access network B. How would I go about putting an IPTABLES rule in the router for network B to do this?

Lock
  • 1,557
  • 6
  • 25
  • 33
  • I see that you're still active on ServerFault. To prevent this question from showing up in searches as unanswered, please either provide additional clarity, or accept one of the answers given. If you found a different solution to your problem, provide your own answer and flag it as accepted. Thanks! – Andrew B Jun 16 '13 at 20:07

2 Answers2

4

It's possible to do this with iptables, but you need to be mindful of connection states. You have to allow reply packets from Network A without allowing them to initiate new connections into Network B.

Something like this should do:

iptables -A FORWARD -i eth_netA -o eth_netB -s 10.1.2.3/24 -d 10.4.5.6/24 -m state --state=established,related -j ACCEPT
# if your default policy is ALLOW:
iptables -A FORWARD -i eth_netA -o eth_netB -s 10.1.2.3/24 -d 10.4.5.6/24 -j DROP
# if your default policy is DROP:
iptables -A FORWARD -i eth_netB -o eth_netA -s 10.4.5.6/24 -d 10.1.2.3/24 -j ACCEPT

Note that we're using the FORWARD table here, not INPUT. This is because your machine is routing packets between networks, and you're wanting to catch packets that aren't bound for the router itself. You can leave off the -s and -d statements if you simply want to apply these rules to all traffic being forwarded across those two interfaces.

Be advised that this relies upon the connection tracking features of iptables (which is already loaded if you have any -t nat rules), and you may need to do some tuning of ip_conntrack parameters if you're sending a heavy load of packets back and forth. The most common warning sign is the table full, dropping packet message in syslog.

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • +1 the important part is the "--state=established,related" in the first rule. This lets replies from network A through, but doesn't let net A start a new connection. – Grant Mar 14 '13 at 12:55
1

try adding an inbound rule to drop the subnet's traffic:

# iptables -A INPUT -s 192.168.100.0/24 -j DROP
SnakeDoc
  • 560
  • 6
  • 23
  • Thanks I'll add it and see how it goes. That will only stop connections initiated from 192.168.100.0/24.. correct? – Lock Mar 14 '13 at 02:41
  • **DANGER**: Adding this rule to your `INPUT` table to your router will drop all traffic from that network, period. – Andrew B Mar 14 '13 at 03:48
  • I do think that is what the poster is asking for, however. – Stefan Lasiewski Mar 14 '13 at 04:26
  • 1
    1. If you have `POLICY DROP` in your `INPUT` chain and this is the last rule, then it's superfluous. 2. This will only drop traffic directed at the router itself, not between two networks; you need the `FORWARD` chain for that. – SmallClanger Mar 14 '13 at 09:09
  • 3. Even if this was the `FORWARD` chain and the default policy was `ALLOW`, this would kill all the reply packets. – Andrew B Mar 14 '13 at 12:35