On Tuesday 07 May 2002 12:53 pm, Svavar �rn Eysteinsson wrote: > I have a firewall configured as below : > > eth0 : External Interface (public) > eth1 : 10.100.0.9/255.255.0.0 > eth2 : 10.100.2.9/255.255.0.0 > eth3 : 10.100.4.9/255.255.0.0
I don't like the look of these addresses *at all*. With a netmask of 255.255.0.0, yoou have a network address of 10.100.0.0 on all three interfaces ! What does your routing table look like !? > As I want to block any traffic from 10.100.4.0 network to the 10.100.0.0 > network but > still of course be able to give 10.100.4.0 network access to the firewall > and route it out. Once you've got your standard addressing / routing sorted out :-) you can use something like this: iptables -A FORWARD -i eth1 -d 10.100.0.0/16 -j REJECT iptables -A FORWARD -i eth2 -d 10.100.0.0/16 -j REJECT iptables -A FORWARD -i eth3 -d 10.100.0.0/16 -j REJECT These rules say "if a packet comes in on eth1/2/3, with a destination of either of my other internal interfaces, then drop it". Packets coming in on eth1/2/3 for any other destination address will not get dropped (you need to have a default policy of ACCEPT, or better, follow these rules with your normal state-matching rules to allow established connection etc. Antony.
