Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: [iptables] Zone based rules
From: "Magosányi, Árpád" <m4gw4s () gmail com>
Date: Tue, 09 Apr 2013 19:37:58 +0200

On 04/09/2013 05:41 PM, Jimmy Thrasibule wrote:
  # Zones creation.
  -N ZONE_MRKT
  -N MRKT_OUT

  -N ZONE_SRV
  -N SRV_IN

  # Traffic coming from the zones.
  -A FORWARD -i eth0 ZONE_MRKT
  -A FORWARD -i eth1 ZONE_SRV

  # Traffic to the zones.
  -A FORWARD -o eth0 ZONE_MRKT
  -A FORWARD -o eth1 ZONE_SRV


  # Let's look at marketing.
  -A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT
  # Marketing allows any outgoing traffic.
  -A MRKT_OUT -j ACCEPT

  # Servers
  -A ZONE_SRV -o eth1 -s any/0 -d ser.ver.s.net/mask -j SRV_IN
  -A SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP


In this example traffic leaving a zone is checked first so any traffic
from marketing is allowed while the servers zone denies traffic from
marketing.

In can change the rules order but this will not solve the problem.
What about using the RETURN target instead of ACCEPT, and denying
everything in the zone-specific chain?
I believe it would solve the problem.
Having an IN and an OUT chain for each zone would mean more efficient
processing also.

KZORP ( https://github.com/balabit/kzorp ) have a notion of zone
hierarchy. You might want to take a look at it.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]