Awesome. Glad you got it working, and glad I could help. Jeremiah E. Bess Network Ninja, Penguin Geek, Father of four
On Sat, Jul 2, 2011 at 16:40, linuxuser <[email protected]> wrote: > Thanks Jeremiah. Really appreciate it. You're right about your first > point and I removed the entries for the second subnnet. I have a > router connected to the cable modem and a DD-WRT router acting as an > access point. I had to use a second subnet there. One of these days > I am going to figure out how to traverse subnets to get to this > fileserver, but that's another post. > > I used the setup you recommended above and it works great. I figured > out that part of my problem was using /32 when my subnet is /24. once > I fixed that, I was good to go! > > > On Jul 2, 8:47 am, Jeremiah Bess <[email protected]> wrote: > > I did some playing around with iptables in a virtual machine. I was able > to > > successfully allow all subnet traffic, but disallow any outgoing or > incoming > > traffic from any other network. I added logging to verify it was working. > > You can use similar rules to this, just be sure to turn down the logging > > level once you have the bugs worked out. > > > > iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT > > iptables -A INPUT -j LOG --log-level 7 -log-prefix "Dropped by firewall: > " > > iptables -A -j DROP > > iptables -A OUTPUT -s 10.0.0.0/24 -j ACCEPT > > iptables -A OUTPUT -j LOG --log-level 7 -log-prefix "Dropped by firewall: > " > > iptables -A -j OUTPUT > > > > To check the logs, you will have to do some additional setup. Add > > "kern.=debug /var/log/firewall" to the end of your syslog.conf file (my > > fedora laptop shows it's /etc/rsyslog.conf). Restart the syslog service > with > > "/etc/rsyslog restart". Now, open another virtual console, and type "tail > -f > > /var/log/firewall". Test away, and you should be able to see the logs now > on > > the tail screen. > > > > I also just noticed you have a 192.168.1.0 subnet and a 192.198.2.0 > subnet. > > Is there a reason to have those seperate? How many hosts are on each? > > > > Jeremiah E. Bess > > Network Ninja, Penguin Geek, Father of four > > > > > > > > On Fri, Jul 1, 2011 at 22:55, Jeremiah Bess <[email protected]> > wrote: > > > I'm not an iptables expert, but I am in network security. Seems odd to > me > > > that inbound rules 1 and 2 have the same source and destination in each > > > rule. The destination should always be your file server, since it > sounds > > > like this is not acting as a router. > > > > > Jeremiah E. Bess > > > Network Ninja, Penguin Geek, Father of four > > > > > On Fri, Jul 1, 2011 at 21:47, linuxuser <[email protected]> wrote: > > > > >> I have a Fedora fileserver that I use on my home network only, so I > > >> want it to have no outside access and no inbound access except for my > > >> home subnets (a router and an access point). Here's what I have built > > >> so far, but it is not blocking pings to the outside world: > > > > >> [root@fedora ~]# iptables -L -v > > >> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > > >> pkts bytes target prot opt in out source > > >> destination > > >> 0 0 ACCEPT all -- any any 192.168.2.0 > > >> 192.168.2.0 > > >> 0 0 ACCEPT all -- any any 192.168.1.0 > > >> 192.168.1.0 > > >> 43 3049 ACCEPT all -- eth0 any anywhere > > >> anywhere > > >> 0 0 REJECT all -- any any anywhere > > >> anywhere reject-with icmp-host-prohibited > > > > >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > > >> pkts bytes target prot opt in out source > > >> destination > > > > >> Chain OUTPUT (policy ACCEPT 24 packets, 3312 bytes) > > >> pkts bytes target prot opt in out source > > >> destination > > >> 0 0 ACCEPT all -- any any 192.168.1.0 > > >> 192.168.1.0 > > >> 0 0 ACCEPT all -- any any 192.168.2.0 > > >> 192.168.2.0 > > > > >> My problem occurs when I delete INPUT 3 (the one with all the traffic) > > >> or add OUTPUT 3 like this: > > >> iptables -I OUTPUT 3 -d 0.0.0.0/0 -j DROP > > > > >> Lucky for me, I figured out that I could set up a crontab to stop > > >> iptables every 10 minutes so that I could get back in. Any > > >> suggestions? > > > > >> -- > > >> You received this message because you are subscribed to the Linux > Users > > >> Group. > > >> To post a message, send email to [email protected] > > >> To unsubscribe, send email to > > >> [email protected] > > >> For more options, visit our group at > > >>http://groups.google.com/group/linuxusersgroup > > >> Please remember to abide by our list rules ( > http://tinyurl.com/LUG-Rulesor > > >>http://cdn.fsdev.net/List-Rules.pdf)- Hide quoted text - > > > > - Show quoted text - > > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup > Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor > http://cdn.fsdev.net/List-Rules.pdf) > -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
