Routing between two private subnets

jrogby · n00b Joined: 02 Aug 2006 Posts: 10

If you take a look at this picture:
http://www.fw1.mumindalen.info/pictures/firewalling2.jpg

The firewall (iptables, shorewall) is not allowing any traffic to any interface by default. But traffic from "HOST A" to "HOST" and vice verca don't get dropped or rejected by the firewall. What is the best relevant configuration to stop traffic between the sub-networks (.2.0/24, .1.0/24)? And more important, why is the traffic between the sub-networks allowed?

And I repeat: The firewall configuration do NOT allow traffic from zone loc (.1.0/24) and wlan (.2.0/24).

How do I solve this and why is this happening?

moocha · Watchman Joined: 21 Oct 2003 Posts: 5722

Is your FORWARD chain policy by any chance set to ACCEPT?
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin

jrogby · n00b Joined: 02 Aug 2006 Posts: 10

Seems like I don't have any FORWARD chain what so ever.. What's the best place to put a rule like this? Is /etc/shorewall/policy the place to put it? And how about the syntax then?

Regards Jonatan

moocha · Watchman Joined: 21 Oct 2003 Posts: 5722

I'm sorry, I'm not actually familiar with shorewall's syntax (I use custom-built rules). To check the chain policy (it's simply not possible that you don't have a FORWARD chain if you have iptables support in the kernel) issue this command (after starting the firewall, of course - also note it is case sensitive):

jrogby · n00b Joined: 02 Aug 2006 Posts: 10

moocha · Watchman Joined: 21 Oct 2003 Posts: 5722

Based on what I'm seeing there, I'd say it should not, since it specifies that traffic originating from eth1 gets forwarded to anywhere, etc etc.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin

Katano · n00b Joined: 06 Oct 2005 Posts: 14

hello,

well... it seems that you dont allow forwarding at all.
so am i guessing right that you have an proxy server running that handels the connection to the internet?
maybe that is the weak point in this construction...
because, as moocha already said, iptables should block the traffic...

greetings,
katano

jrogby · n00b Joined: 02 Aug 2006 Posts: 10

I don't have any advanced network setup (yet :lol:

). But since I installed a new NIC on my firewall (Now it's a new machine with new NICs, the old one was big, slow and noicy), I alwas had this problem..

I have for the moment very few PCs connected to the network and I have only ONE acting as a firewall/router (running debian). No modems or other routers is connected (100Mbit ethernet jack in my apartment).

I have two "LAN"-zones, loc and wlan. The problem is that computers from my wlan can access my loc (wired LAN). That should not be possible as it is a big security risk (btw. wlan is protected with WPA and filter it mac-addresses)! But anyway it SHOULD not be possible to connect to the loc zone from wlan zone..

Running IPTABLES w/shorewall on top.
loc 192.168.1.0/24
wlan 192.168.2.0/24 (it's a normal ethernet card connected to an AP (dhcp etc is disabled on the AP)

oooh, should get some sleep... hope you understand what I mean anyway..

mno · Posted: Thu Aug 03, 2006 2:53 pm Post subject:

moocha · Watchman Joined: 21 Oct 2003 Posts: 5722