Page 1 of 1
Isolating internal machine
Posted: Sat Jul 02, 2011 8:49 am
by hipitihop
I'm trying to setup iptables rules to isolate a machine 192.168.0.200 on my internal network 192.168.0.0/24 so that it cannot see any other machines on the internal network and only has internet access. I have added the following rules to my /etc/firewall.user
Code: Select all
iptables -N ALIEN_1
iptables -A INPUT -s 192.168.0.200 -d 192.168.0.0/24 -j ALIEN_1
iptables -A FORWARD -s 192.168.0.200 -d 192.168.0.0/24 -j ALIEN_1
iptables -A ALIEN_1 -j LOG --log-level info --log-prefix "ALIEN 1 -- DENY "
iptables -A ALIEN_1 -j DROP
but the machine can still ping other machines on the network. If there are any iptables gurus out there that can point me in the right direction please ?
Re: Isolating internal machine
Posted: Sat Jul 02, 2011 12:15 pm
by Eric
Try using:
Code: Select all
iptables -I FORWARD -s 192.168.0.200 -d 192.168.0.0/24 -j ALIEN_1
Use the -I flag instead of the -A flag. -A appends to the end of the chain, -I inserts it at the beginning. Right now it's hitting all the other rules first, so it's getting accepted before it ever gets to your rule.
Also, INPUT only applies to traffic going to the router -- you shouldn't need a rule for traffic going to that chain unless you want to block access to the router as well as the rest of your network. Though.. maybe that is what you want. Just a friendly warning that you might not want/need that rule
Re: Isolating internal machine
Posted: Sat Jul 02, 2011 11:28 pm
by hipitihop
Eric wrote:Try using:
Code: Select all
iptables -I FORWARD -s 192.168.0.200 -d 192.168.0.0/24 -j ALIEN_1
Thanks Eric good points. So now I'm doing this:
Code: Select all
iptables -N ALIEN_1
iptables -I FORWARD -s 192.168.0.200 -d 192.168.0.0/24 -j ALIEN_1
iptables -A ALIEN_1 -j LOG --log-level info --log-prefix "ALIEN 1 -- DENY "
iptables -A ALIEN_1 -j DROP
Unfortunately, I can still ping any machine on the network from that machine 192.168.0.200. So checking the FORWARD doing:
Code: Select all
iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 571 673K bw_ingress all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
2 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x8000/0x8000 reject-with icmp-port-unreachable
3 589 674K ingress_restrictions all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
4 466 67941 egress_restrictions all -- * eth0.1 0.0.0.0/0 0.0.0.0/0
5 0 0 ALIEN_1 all -- * * 192.168.0.200 192.168.0.0/24
6 1100 753K zone_wan_MSSFIX all -- * * 0.0.0.0/0 0.0.0.0/0
7 1091 753K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 14 1054 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0
9 14 1054 forward all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
I can see we are certainly no longer at the end of the chain, but @ line 5. Is this still too late ? and if so, is that caused by the firewall.user being included later in /etc/config/firewall ?
BTW, the intention of this is to give one machine internet access only and not see any other machine on the same network. I'm assuming it needs to see the router itself @ 192.168.0.1
Re: Isolating internal machine
Posted: Thu Jul 21, 2011 2:42 am
by varma
Have you finally setted up the IP isolation?
Because I was interested exactly at this situation, and if you positively succeded I'd like to see your setup
and try it in my gargoyle!
thank you