IP Networking

Mostly, because it's easier to hook up a keyboard and monitor to a computer if you firewall yourself out. Though I'm sure I'm preaching to the choir there.

Also because it changes your environment quite a bit. I suppose you've got a full iptables, but nearly everything else is a feature-reduced version of what you'd get on a PC.

didn't work

Code:

root@?:/tmp/home/root# iptables -A INPUT -s 192.0.0.0/24 -d 192.0.3.0/24 '!' -dp
orts 9100,22,23 -j DROP
iptables v1.3.8: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
root@?:/tmp/home/root# iptables -A INPUT -s 192.0.3.0/24 -d 192.0.0.0/24 '!' -dp
orts 9100,22,23 -j DROP
iptables v1.3.8: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
root@?:/tmp/home/root#

---------- Post updated at 11:09 PM ---------- Previous update was at 08:17 PM ----------

I tried this:

Code:

iptables -I OUTPUT 1 -p tcp -d 192.0.0.0/24 --dport 22 -j ACCEPT
iptables -I OUTPUT 2 -p tcp -d 192.0.0.0/24 --dport 23 -j ACCEPT
iptables -I OUTPUT 3 -p tcp -d 192.0.0.0/24 --dport 9100 -j ACCEPT
iptables -I OUTPUT 4 -d 192.0.0.0/24 -j DROP

It cut my access off entirely. Do I need to make the drop portion the first in the list?

Our network topo is this:

We have dual homed servers. 1 home is 192.0.10.0 (main home LAN) other home is 192.0.0.0 (WAN). We have the 192.0.0.0 (WAN) so our servers can talk over WAN to our other location (192.0.3.0). It is a Frame Relay connection. We have serial network printers in the other location (192.0.3.0) but the server (that people work on and send print jobs from) is at the main location (192.0.0.0).

NOW the other location. It's LAN is 192.0.3.0. It still needs to talk to 192.0.0.0 (WAN) to connect to the unix server (off site) and so the unix server can send print jobs to the (on site) printers. THUS, 192.0.3.0 (other home LAN) must communicate with 192.0.0.0 (WAN) but it only needs to for those printing purposes. I could let the clients ssh over internet for the terminal sessions.

in short:

main site ------------------------------------------other site
LAN1 (192.0.10.0) ------ WAN (192.0.0.0) -------- LAN2 (192.0.3.0)
server here -------------------------------------------printer here

The issue that caught my eye is this:

192.0.3.0 (LAN) router has static route to 192.0.0.0 frame (WAN)

I just installed a NAS on the 192.0.3.0 LAN. I mapped a share from the NAS to a network drive on a pc. I started a image backup from some backup software we use (EaseUS Todo) to image the pc drive to the NAS share. Job running fine. Frame starts dropping print jobs. Frame drops hella pings. I log back in to the pc that is being backed up and KILL the backup. INSTA presto Frame (WAN) (192.0.0.0) comes back up and starts working fine again.

my conclusion:

I need to stop all traffic except essential from possibly leaking onto WAN frame (192.0.0.0) from 192.0.3.0 OR 192.0.10.0


AND by the way,

should this let me block all traffic except when from ports 9100,22,23?:

(following ip tables to be put in the 192.0.3.0 LAN router)

Code:

iptables -I OUTPUT 1 -p tcp -d 192.0.0.0/24 --dport 22 -j ACCEPT
iptables -I OUTPUT 2 -p tcp -d 192.0.0.0/24 --dport 23 -j ACCEPT
iptables -I OUTPUT 3 -p tcp -d 192.0.0.0/24 --dport 9100 -j ACCEPT
iptables -I OUTPUT 4 -d 192.0.0.0/24 -j DROP

What those rules do greatly depends on your existing firewall setup. That's another reason it's good to know that you're using a wireless router: It means you probably already have a fairly complicated pre-packaged firewall setup that neither of us know much about. It might be better to use their system than craft raw rules yourself if posssible.

What's this -I OUTPUT 4? Why not just append rules at the same time as the firewall's being made instead of inserting later?

Well it goes DSL modem---Wireless router/LAN (static route from 192.0.3.0 to 192.0.0.0)

There is NAT at the modem and the router has some ports forwarded. There is no other hardware/software firewall.

Wireless router tells 192.0.3.0 how to get to 192.0.0.0. All I want to do is put some restrictions on the traffic that goes over that static route.

Dont I need to use -I OUTPUT for traffic leaving the router? Maybe I'm confused ... The WAN port on router is connected to dsl modem. The LAN ports on the router go to the switch to the 192.0.0.0 gateway device...

-I inserts rules at the beginning. Why not -A? The difference could be important, especially with my present near-total ignorance of your current firewall. Depending on your firewall rules it's entirely possible that neither will work, and the rules have to be put in the appropriate place in your firewall instead of appended or prepended...

And for traffic to leave the router, it must also enter the router, yes? I think INPUT is more appropriate.

Have you tried the syntax as I actually gave them to you? I guess you can't use -dports, but otherwise...

Knowing your current firewall setup would be useful too...

OK I will use -A INPUT

What is this firewall you speak of? The only things on the ends of the WAN frame are the multiplexors ... they shoot straight into to the switch.

192.0.3.0 & 192.0.0.0 think they are on the same network or subnet.

I tried syntax as you gave it. It didn't like the '!' Thats why I wanted to do something similar to the commands I gave you earlier.