Thanks Jeremiah. Really appreciate it. You're right about your first point and I removed the entries for the second subnnet. I have a router connected to the cable modem and a DD-WRT router acting as an access point. I had to use a second subnet there. One of these days I am going to figure out how to traverse subnets to get to this fileserver, but that's another post.
I used the setup you recommended above and it works great. I figured out that part of my problem was using /32 when my subnet is /24. once I fixed that, I was good to go! On Jul 2, 8:47 am, Jeremiah Bess <[email protected]> wrote: > I did some playing around with iptables in a virtual machine. I was able to > successfully allow all subnet traffic, but disallow any outgoing or incoming > traffic from any other network. I added logging to verify it was working. > You can use similar rules to this, just be sure to turn down the logging > level once you have the bugs worked out. > > iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT > iptables -A INPUT -j LOG --log-level 7 -log-prefix "Dropped by firewall: " > iptables -A -j DROP > iptables -A OUTPUT -s 10.0.0.0/24 -j ACCEPT > iptables -A OUTPUT -j LOG --log-level 7 -log-prefix "Dropped by firewall: " > iptables -A -j OUTPUT > > To check the logs, you will have to do some additional setup. Add > "kern.=debug /var/log/firewall" to the end of your syslog.conf file (my > fedora laptop shows it's /etc/rsyslog.conf). Restart the syslog service with > "/etc/rsyslog restart". Now, open another virtual console, and type "tail -f > /var/log/firewall". Test away, and you should be able to see the logs now on > the tail screen. > > I also just noticed you have a 192.168.1.0 subnet and a 192.198.2.0 subnet. > Is there a reason to have those seperate? How many hosts are on each? > > Jeremiah E. Bess > Network Ninja, Penguin Geek, Father of four > > > > On Fri, Jul 1, 2011 at 22:55, Jeremiah Bess <[email protected]> wrote: > > I'm not an iptables expert, but I am in network security. Seems odd to me > > that inbound rules 1 and 2 have the same source and destination in each > > rule. The destination should always be your file server, since it sounds > > like this is not acting as a router. > > > Jeremiah E. Bess > > Network Ninja, Penguin Geek, Father of four > > > On Fri, Jul 1, 2011 at 21:47, linuxuser <[email protected]> wrote: > > >> I have a Fedora fileserver that I use on my home network only, so I > >> want it to have no outside access and no inbound access except for my > >> home subnets (a router and an access point). Here's what I have built > >> so far, but it is not blocking pings to the outside world: > > >> [root@fedora ~]# iptables -L -v > >> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > >> pkts bytes target prot opt in out source > >> destination > >> 0 0 ACCEPT all -- any any 192.168.2.0 > >> 192.168.2.0 > >> 0 0 ACCEPT all -- any any 192.168.1.0 > >> 192.168.1.0 > >> 43 3049 ACCEPT all -- eth0 any anywhere > >> anywhere > >> 0 0 REJECT all -- any any anywhere > >> anywhere reject-with icmp-host-prohibited > > >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > >> pkts bytes target prot opt in out source > >> destination > > >> Chain OUTPUT (policy ACCEPT 24 packets, 3312 bytes) > >> pkts bytes target prot opt in out source > >> destination > >> 0 0 ACCEPT all -- any any 192.168.1.0 > >> 192.168.1.0 > >> 0 0 ACCEPT all -- any any 192.168.2.0 > >> 192.168.2.0 > > >> My problem occurs when I delete INPUT 3 (the one with all the traffic) > >> or add OUTPUT 3 like this: > >> iptables -I OUTPUT 3 -d 0.0.0.0/0 -j DROP > > >> Lucky for me, I figured out that I could set up a crontab to stop > >> iptables every 10 minutes so that I could get back in. Any > >> suggestions? > > >> -- > >> You received this message because you are subscribed to the Linux Users > >> Group. > >> To post a message, send email to [email protected] > >> To unsubscribe, send email to > >> [email protected] > >> For more options, visit our group at > >>http://groups.google.com/group/linuxusersgroup > >> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor > >>http://cdn.fsdev.net/List-Rules.pdf)- Hide quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
