Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
azalio2012-04-08 02:03:04
linux
azalio, 2012-04-08 02:03:04

How to disable local traffic between two local interfaces?

There is linux-box with 3 network interfaces.
eth0 - inet
eth1 - lan1 - gw 192.168.1.1
eth2 - lan2 - gw 192.168.10.1

Users from both networks must have Internet access.

I want to make sure that no one from lan2 can see anything from lan1.

Registered:
iptables -A FORWARD -i eth2 -o eth1 -j DROP

But the user from the lan2 network easily gets access to the IP address on the eth1 interface - 192.168.1.1, which is not desirable.

upd. The following helped:
 Thanks for the help!
iptables -L -v
Chain INPUT (policy DROP 21 packets, 1148 bytes)
pkts bytes target prot opt in out source destination
9 488 DROP all -- any any 192.168.10.0/24 192.168.1.0/24


Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

8 answer(s)
Report
E
ergil, 2012-04-08
@ergil

and route -n who will show? you never know what you have heaped up there

Report
A
Andrey Grigoriev, 2012-04-08
@eigrad

<vanga_mode>Do you have eth1 and eth2 plugged into the same switch?</vanga_mode>

Report
N
nicolnx, 2012-04-08
@nicolnx

try filtering in INPUT additionally

Report
D
da0c, 2012-04-08
@da0c

Everything seems to be correct, it’s hard to tell, but I would check
if there is any rule in the FORWARD chain that comes before
iptables -A FORWARD -i eth2 -o eth1 -j DROP
and skips packets
- and everything is separated at the switch level (although this the question has already been asked)
- can not packets be forwarded lan2 - lan0 - lan1, although route seems to be normal ...
- by the way, are the gateways on the machines from lan2 - lan1 correct?
- try writing packets to iptables logs or look at them with tcpdump - to find out how they still leak

Report
S
Sergey, 2012-04-08
@bondbig

Firewall rules work out on the first match from top to bottom. If there is a rule above that this traffic falls under, all the rest will not work.

Report
D
DobroFenix, 2012-04-08
​​@DobroFenix

Install MikroTik ROS and don't worry if there is not a lot of traffic.
Here are the rules from ROS, I think under iptables you will figure out how to rewrite
chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.10.0/24
chain=forward action=drop src-address=192.168.10.0 /24 dst-address=192.168.1.0/24
As the rules already said, throw to the very top

Report
1
1x1, 2012-04-08
@1x1

192.168.1.1 belongs to the server itself, not the network behind it, so the rules for this case will be different.

Report
W
WGARRET, 2014-10-15
@WGARRET

*deleted*

Similar questions
A
Alexander2017-06-23 20:13:44
Accepting cookies. Why is it returning an array? 2Reply
R
Raheb Wataniar2017-11-27 21:35:12
Why does the dropdown navigation take me back to the top of the HTML document when I click on the burger menu? 6Reply
S
Seva Zhidkov2015-04-24 08:00:18
Why is my raspberry pi 2 unstable over SSH? 2Reply
S
semki0962017-04-18 02:44:15
How to set the time to execute a php script when installing a PHP package? 1Reply
E
Eugene2015-04-24 13:59:52
redis-cluster. Examples of use, problems of operation? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question