I did some playing around with iptables in a virtual machine. I was able to successfully allow all subnet traffic, but disallow any outgoing or incoming traffic from any other network. I added logging to verify it was working. You can use similar rules to this, just be sure to turn down the logging level once you have the bugs worked out.
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT iptables -A INPUT -j LOG --log-level 7 -log-prefix "Dropped by firewall: " iptables -A -j DROP iptables -A OUTPUT -s 10.0.0.0/24 -j ACCEPT iptables -A OUTPUT -j LOG --log-level 7 -log-prefix "Dropped by firewall: " iptables -A -j OUTPUT To check the logs, you will have to do some additional setup. Add "kern.=debug /var/log/firewall" to the end of your syslog.conf file (my fedora laptop shows it's /etc/rsyslog.conf). Restart the syslog service with "/etc/rsyslog restart". Now, open another virtual console, and type "tail -f /var/log/firewall". Test away, and you should be able to see the logs now on the tail screen. I also just noticed you have a 192.168.1.0 subnet and a 192.198.2.0 subnet. Is there a reason to have those seperate? How many hosts are on each? Jeremiah E. Bess Network Ninja, Penguin Geek, Father of four On Fri, Jul 1, 2011 at 22:55, Jeremiah Bess <[email protected]> wrote: > I'm not an iptables expert, but I am in network security. Seems odd to me > that inbound rules 1 and 2 have the same source and destination in each > rule. The destination should always be your file server, since it sounds > like this is not acting as a router. > > Jeremiah E. Bess > Network Ninja, Penguin Geek, Father of four > > > > On Fri, Jul 1, 2011 at 21:47, linuxuser <[email protected]> wrote: > >> I have a Fedora fileserver that I use on my home network only, so I >> want it to have no outside access and no inbound access except for my >> home subnets (a router and an access point). Here's what I have built >> so far, but it is not blocking pings to the outside world: >> >> [root@fedora ~]# iptables -L -v >> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- any any 192.168.2.0 >> 192.168.2.0 >> 0 0 ACCEPT all -- any any 192.168.1.0 >> 192.168.1.0 >> 43 3049 ACCEPT all -- eth0 any anywhere >> anywhere >> 0 0 REJECT all -- any any anywhere >> anywhere reject-with icmp-host-prohibited >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> >> Chain OUTPUT (policy ACCEPT 24 packets, 3312 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- any any 192.168.1.0 >> 192.168.1.0 >> 0 0 ACCEPT all -- any any 192.168.2.0 >> 192.168.2.0 >> >> My problem occurs when I delete INPUT 3 (the one with all the traffic) >> or add OUTPUT 3 like this: >> iptables -I OUTPUT 3 -d 0.0.0.0/0 -j DROP >> >> Lucky for me, I figured out that I could set up a crontab to stop >> iptables every 10 minutes so that I could get back in. Any >> suggestions? >> >> -- >> You received this message because you are subscribed to the Linux Users >> Group. >> To post a message, send email to [email protected] >> To unsubscribe, send email to >> [email protected] >> For more options, visit our group at >> http://groups.google.com/group/linuxusersgroup >> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >> http://cdn.fsdev.net/List-Rules.pdf) >> > > -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
