|
@@ -25,10 +25,10 @@ sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m
|
25
|
25
|
# Allow everything for trusted networks
|
26
|
26
|
sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device"
|
27
|
27
|
sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device"
|
28
|
|
-sudo iptables -A INPUT -j ACCEPT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device"
|
29
|
|
-sudo iptables -A OUTPUT -j ACCEPT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
|
|
28
|
+sudo iptables -A INPUT -j ACCEPT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device"
|
|
29
|
+sudo iptables -A OUTPUT -j ACCEPT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
|
30
|
30
|
|
31
|
|
-sudo iptables -A OUTPUT -j ACCEPT -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
|
|
31
|
+sudo iptables -A OUTPUT -j ACCEPT -o eth0 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
|
32
|
32
|
|
33
|
33
|
# Add reject rule for propper feedback
|
34
|
34
|
sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic"
|
|
@@ -49,40 +49,40 @@ sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forw
|
49
|
49
|
# -> VLAN10 (Internet)
|
50
|
50
|
#---------------------
|
51
|
51
|
# Allow VLAN30 full access to the internet
|
52
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
|
53
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
|
|
52
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
|
|
53
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
|
54
|
54
|
# Allow VLAN40 access to to http,https
|
55
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
|
56
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
|
|
55
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
|
|
56
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
|
57
|
57
|
# Allow VLAN60 access to to http,https
|
58
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
|
|
58
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
|
59
|
59
|
|
60
|
60
|
#--------------------
|
61
|
61
|
# -> VLAN20 (Network)
|
62
|
62
|
#--------------------
|
63
|
63
|
# Allow VLAN30 full access
|
64
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
|
|
64
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
|
65
|
65
|
|
66
|
66
|
#--------------------------------------
|
67
|
67
|
# -> VLAN30 (Family) - VERY RESTRICTIVE
|
68
|
68
|
#--------------------------------------
|
69
|
69
|
# Allow VLAN40 and VLAN50 access to the mqtt port
|
70
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
|
71
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
|
72
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
|
|
70
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
|
|
71
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
|
|
72
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
|
73
|
73
|
|
74
|
74
|
|
75
|
75
|
#-------------------------------
|
76
|
76
|
# -> VLAN40 (Untrusted Internet)
|
77
|
77
|
#-------------------------------
|
78
|
78
|
# Allow VLAN30 full access
|
79
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
|
|
79
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
|
80
|
80
|
|
81
|
81
|
#---------------------------------
|
82
|
82
|
# -> VLAN50 (Untrusted no Internet
|
83
|
83
|
#---------------------------------
|
84
|
84
|
# Allow VLAN30 full access
|
85
|
|
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
|
|
85
|
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
|
86
|
86
|
|
87
|
87
|
#------------------
|
88
|
88
|
# -> VLAN60 (Gäste)
|
|
@@ -93,9 +93,9 @@ sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comm
|
93
|
93
|
#----------------------
|
94
|
94
|
# Masquerade traffic to
|
95
|
95
|
#----------------------
|
96
|
|
-sudo iptables -t nat -A POSTROUTING -o eth0.10 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
|
|
96
|
+sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
|
97
|
97
|
sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20"
|
98
|
|
-sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
|
|
98
|
+sudo iptables -t nat -A POSTROUTING -o eth0.30 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
|
99
|
99
|
sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40"
|
100
|
100
|
sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50"
|
101
|
101
|
|