Isolating a subnet

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I need to allow public access to a web server on one computer on my
network.  I'm forwarding from the main firewall to the computer.  The
computer sits behind its own local router, and it's on its own physical

I think all I need to do is something like this at the local router:

iptables -A INPUT -p TCP !--syn --interface vlanX --destination -J ACCEPT
iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
iptables -A INPUT --interface vlanX -J DROP

In other words, only allow returning http connections and returning
connections from the local network (so I can get in with ssh).

Anyone see anything wrong with this?


Re: Isolating a subnet

CptDondo wrote:
Quoted text here. Click to load it

Hello Yan,

It looks like you are using the wrong iptables chain here, use FORWARD
instead of the current one, which is used to filter routing traffic
assuming you are configuring your local router as noted on your post.
Also i advice you to have a look at iptables' statefull inspection
functionality (look at the state module in the man)

Re: Isolating a subnet

Leander de Graaf wrote:
Quoted text here. Click to load it

It's been a while since I've used iptables...

I am trying to completely box this computer in... If it is compromised,
I don't want it to have any chance of even connecting to the router.
That's why I picked the INPUT chain.  Maybe I need to read up on
iptables again....

What advantage would stateful inspection give me over the --syn packet

Re: Isolating a subnet

CptDondo wrote:
Quoted text here. Click to load it

Having iptables only check on the packet flags without knowing what has
been going on in advance is not a very secure practice. Anyone trying to
abuse your net can possibly generate packets that can bypass the
firewall rules and reach your webserver. I have used this way on many
boxes and know it works flawlessly.

Leander de Graaf

Site Timeline