Isolating internal machine

[hipitihop]

I'm trying to setup iptables rules to isolate a machine 192.168.0.200 on my internal network 192.168.0.0/24 so that it cannot see any other machines on the internal network and only has internet access. I have added the following rules to my /etc/firewall.user

Code: Select all

iptables -N ALIEN_1
iptables -A INPUT  -s 192.168.0.200   -d 192.168.0.0/24   -j ALIEN_1
iptables -A FORWARD  -s 192.168.0.200   -d 192.168.0.0/24   -j ALIEN_1
iptables -A ALIEN_1  -j LOG  --log-level info --log-prefix "ALIEN 1 -- DENY "
iptables -A ALIEN_1  -j DROP

but the machine can still ping other machines on the network. If there are any iptables gurus out there that can point me in the right direction please ?

[Eric]

Try using:

Code: Select all

iptables -I FORWARD  -s 192.168.0.200   -d 192.168.0.0/24   -j ALIEN_1

Use the -I flag instead of the -A flag. -A appends to the end of the chain, -I inserts it at the beginning. Right now it's hitting all the other rules first, so it's getting accepted before it ever gets to your rule.

Also, INPUT only applies to traffic going to the router -- you shouldn't need a rule for traffic going to that chain unless you want to block access to the router as well as the rest of your network. Though.. maybe that is what you want. Just a friendly warning that you might not want/need that rule

[hipitihop]

Try using:

Code: Select all

iptables -I FORWARD  -s 192.168.0.200   -d 192.168.0.0/24   -j ALIEN_1

Thanks Eric good points. So now I'm doing this:

Code: Select all

iptables -N ALIEN_1
iptables -I FORWARD  -s 192.168.0.200   -d 192.168.0.0/24   -j ALIEN_1
iptables -A ALIEN_1  -j LOG  --log-level info --log-prefix "ALIEN 1 -- DENY "
iptables -A ALIEN_1  -j DROP

Unfortunately, I can still ping any machine on the network from that machine 192.168.0.200. So checking the FORWARD doing:

Code: Select all

iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      571  673K bw_ingress  all  --  eth0.1 *       0.0.0.0/0            0.0.0.0/0           
2        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match 0x8000/0x8000 reject-with icmp-port-unreachable 
3      589  674K ingress_restrictions  all  --  eth0.1 *       0.0.0.0/0            0.0.0.0/0           
4      466 67941 egress_restrictions  all  --  *      eth0.1  0.0.0.0/0            0.0.0.0/0           
5        0     0 ALIEN_1    all  --  *      *       192.168.0.200        192.168.0.0/24      
6     1100  753K zone_wan_MSSFIX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7     1091  753K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
8       14  1054 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
9       14  1054 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
10       0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I can see we are certainly no longer at the end of the chain, but @ line 5. Is this still too late ? and if so, is that caused by the firewall.user being included later in /etc/config/firewall ?

BTW, the intention of this is to give one machine internet access only and not see any other machine on the same network. I'm assuming it needs to see the router itself @ 192.168.0.1

[varma]

Have you finally setted up the IP isolation?

Because I was interested exactly at this situation, and if you positively succeded I'd like to see your setup
and try it in my gargoyle!



thank you