mailing list archives
Re: [iptables] Zone based rules
From: "Magosányi, Árpád" <m4gw4s () gmail com>
Date: Tue, 09 Apr 2013 19:37:58 +0200
On 04/09/2013 05:41 PM, Jimmy Thrasibule wrote:
# Zones creation.
# Traffic coming from the zones.
-A FORWARD -i eth0 ZONE_MRKT
-A FORWARD -i eth1 ZONE_SRV
# Traffic to the zones.
-A FORWARD -o eth0 ZONE_MRKT
-A FORWARD -o eth1 ZONE_SRV
# Let's look at marketing.
-A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT
# Marketing allows any outgoing traffic.
-A MRKT_OUT -j ACCEPT
-A ZONE_SRV -o eth1 -s any/0 -d ser.ver.s.net/mask -j SRV_IN
-A SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP
In this example traffic leaving a zone is checked first so any traffic
from marketing is allowed while the servers zone denies traffic from
In can change the rules order but this will not solve the problem.
What about using the RETURN target instead of ACCEPT, and denying
everything in the zone-specific chain?
I believe it would solve the problem.
Having an IN and an OUT chain for each zone would mean more efficient
KZORP ( https://github.com/balabit/kzorp ) have a notion of zone
hierarchy. You might want to take a look at it.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com