Przeglądaj źródła

adapted for vlan10 as eth0

master
Dirk Alders 1 rok temu
rodzic
commit
ec7d41a9b4
2 zmienionych plików z 32 dodań i 32 usunięć
  1. 16
    16
      ipt-static-ruleset
  2. 16
    16
      rules.v4

+ 16
- 16
ipt-static-ruleset Wyświetl plik

@@ -25,10 +25,10 @@ sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m
25 25
 # Allow everything for trusted networks
26 26
 sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device"
27 27
 sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device"
28
-sudo iptables -A INPUT -j ACCEPT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device"
29
-sudo iptables -A OUTPUT -j ACCEPT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
28
+sudo iptables -A INPUT -j ACCEPT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device"
29
+sudo iptables -A OUTPUT -j ACCEPT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
30 30
 
31
-sudo iptables -A OUTPUT -j ACCEPT -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
31
+sudo iptables -A OUTPUT -j ACCEPT -o eth0 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
32 32
 
33 33
 # Add reject rule for propper feedback
34 34
 sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic"
@@ -49,40 +49,40 @@ sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forw
49 49
 # -> VLAN10 (Internet)
50 50
 #---------------------
51 51
 # Allow VLAN30 full access to the internet
52
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
53
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
52
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
53
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
54 54
 # Allow VLAN40 access to to http,https
55
-sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
56
-sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
55
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
56
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
57 57
 # Allow VLAN60 access to to http,https
58
-sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
58
+sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
59 59
 
60 60
 #--------------------
61 61
 # -> VLAN20 (Network)
62 62
 #--------------------
63 63
 # Allow VLAN30 full access
64
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
64
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
65 65
 
66 66
 #--------------------------------------
67 67
 # -> VLAN30 (Family) - VERY RESTRICTIVE
68 68
 #--------------------------------------
69 69
 # Allow VLAN40 and VLAN50 access to the mqtt port
70
-sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
71
-sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
72
-sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
70
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
71
+sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
72
+sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
73 73
 
74 74
 
75 75
 #-------------------------------
76 76
 # -> VLAN40 (Untrusted Internet)
77 77
 #-------------------------------
78 78
 # Allow VLAN30 full access
79
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
79
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
80 80
 
81 81
 #---------------------------------
82 82
 # -> VLAN50 (Untrusted no Internet
83 83
 #---------------------------------
84 84
 # Allow VLAN30 full access
85
-sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
85
+sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
86 86
 
87 87
 #------------------
88 88
 # -> VLAN60 (Gäste)
@@ -93,9 +93,9 @@ sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comm
93 93
 #----------------------
94 94
 # Masquerade traffic to
95 95
 #----------------------
96
-sudo iptables -t nat -A POSTROUTING -o eth0.10 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
96
+sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
97 97
 sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20"
98
-sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
98
+sudo iptables -t nat -A POSTROUTING -o eth0.30 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
99 99
 sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40"
100 100
 sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50"
101 101
 

+ 16
- 16
rules.v4 Wyświetl plik

@@ -10,23 +10,23 @@
10 10
 -A INPUT -p udp -m udp --dport 123 -m comment --comment "accept incomming ntp" -j ACCEPT
11 11
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all incomming established and related trafic" -j ACCEPT
12 12
 -A INPUT -i lo -m comment --comment "accept all incoming traffic of loopback device" -j ACCEPT
13
--A INPUT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device" -j ACCEPT
13
+-A INPUT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device" -j ACCEPT
14 14
 -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT --reject-with icmp-port-unreachable
15 15
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "forward all established and related traffic" -j ACCEPT
16 16
 -A FORWARD -p icmp -m icmp --icmp-type 8 -m comment --comment "forward all pings" -j ACCEPT
17 17
 -A FORWARD -p udp -m udp --dport 123 -m comment --comment "forward all ntp request" -j ACCEPT
18 18
 -A FORWARD -p udp -m udp --sport 123 -m comment --comment "forward all ntp request" -j ACCEPT
19
--A FORWARD ! -d 192.168.0.0/16 -i eth0 -o eth0.10 -m comment --comment "forward all traffic from vlan30 to the internet" -j ACCEPT
20
--A FORWARD -d 192.168.0.0/24 -i eth0 -o eth0.10 -m comment --comment "forward all traffic from vlan30 to vlan10" -j ACCEPT
21
--A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0.10 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet" -j ACCEPT
22
--A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0.10 -p tcp -m tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher" -j ACCEPT
23
--A FORWARD ! -d 192.168.0.0/16 -i eth0.60 -o eth0.10 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet" -j ACCEPT
24
--A FORWARD -d 192.168.20.0/24 -i eth0 -o eth0.20 -m comment --comment "forward traffic from vlan30 to VLAN20" -j ACCEPT
25
--A FORWARD -d 192.168.30.0/24 -i eth0.40 -o eth0 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30" -j ACCEPT
26
--A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30" -j ACCEPT
27
--A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0 -p tcp -m tcp --dport 21 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)" -j ACCEPT
28
--A FORWARD -d 192.168.40.0/24 -i eth0 -o eth0.40 -m comment --comment "forward traffic from vlan30 to VLAN40" -j ACCEPT
29
--A FORWARD -d 192.168.50.0/24 -i eth0 -o eth0.50 -m comment --comment "forward traffic from vlan30 to VLAN50" -j ACCEPT
19
+-A FORWARD ! -d 192.168.0.0/16 -i eth0.30 -o eth0 -m comment --comment "forward all traffic from vlan30 to the internet" -j ACCEPT
20
+-A FORWARD -d 192.168.0.0/24 -i eth0.30 -o eth0 -m comment --comment "forward all traffic from vlan30 to vlan10" -j ACCEPT
21
+-A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet" -j ACCEPT
22
+-A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0 -p tcp -m tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher" -j ACCEPT
23
+-A FORWARD ! -d 192.168.0.0/16 -i eth0.60 -o eth0 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet" -j ACCEPT
24
+-A FORWARD -d 192.168.20.0/24 -i eth0.30 -o eth0.20 -m comment --comment "forward traffic from vlan30 to VLAN20" -j ACCEPT
25
+-A FORWARD -d 192.168.30.0/24 -i eth0.40 -o eth0.30 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30" -j ACCEPT
26
+-A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0.30 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30" -j ACCEPT
27
+-A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0.30 -p tcp -m tcp --dport 21 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)" -j ACCEPT
28
+-A FORWARD -d 192.168.40.0/24 -i eth0.30 -o eth0.40 -m comment --comment "forward traffic from vlan30 to VLAN40" -j ACCEPT
29
+-A FORWARD -d 192.168.50.0/24 -i eth0.30 -o eth0.50 -m comment --comment "forward traffic from vlan30 to VLAN50" -j ACCEPT
30 30
 -A OUTPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "accept outgoing pings" -j ACCEPT
31 31
 -A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "accept outgoing dhcp" -j ACCEPT
32 32
 -A OUTPUT -p udp -m udp --dport 53 -m comment --comment "accept outgoing dns" -j ACCEPT
@@ -35,8 +35,8 @@
35 35
 -A OUTPUT -p tcp -m tcp --dport 22 -m comment --comment "accept outgoing ssh" -j ACCEPT
36 36
 -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all outgoing established and related trafic" -j ACCEPT
37 37
 -A OUTPUT -o lo -m comment --comment "accept all outgoing traffic of the loopback device" -j ACCEPT
38
--A OUTPUT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device" -j ACCEPT
39
--A OUTPUT ! -d 192.168.0.0/16 -o eth0.10 -m comment --comment "accept all outgoing traffic to the internet" -j ACCEPT
38
+-A OUTPUT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device" -j ACCEPT
39
+-A OUTPUT ! -d 192.168.0.0/16 -o eth0 -m comment --comment "accept all outgoing traffic to the internet" -j ACCEPT
40 40
 COMMIT
41 41
 # Completed on Mon Oct  2 20:48:26 2023
42 42
 # Generated by iptables-save v1.8.7 on Mon Oct  2 20:48:26 2023
@@ -45,9 +45,9 @@ COMMIT
45 45
 :INPUT ACCEPT [0:0]
46 46
 :OUTPUT ACCEPT [0:0]
47 47
 :POSTROUTING ACCEPT [0:0]
48
--A POSTROUTING -o eth0.10 -m comment --comment "masquerade ->eth0.10" -j MASQUERADE
48
+-A POSTROUTING -o eth0 -m comment --comment "masquerade ->eth0.10" -j MASQUERADE
49 49
 -A POSTROUTING -o eth0.20 -m comment --comment "masquerade ->eth0.20" -j MASQUERADE
50
--A POSTROUTING -o eth0 -m comment --comment "masquerade ->eth0.30" -j MASQUERADE
50
+-A POSTROUTING -o eth0.30 -m comment --comment "masquerade ->eth0.30" -j MASQUERADE
51 51
 -A POSTROUTING -o eth0.40 -m comment --comment "masquerade ->eth0.40" -j MASQUERADE
52 52
 -A POSTROUTING -o eth0.50 -m comment --comment "masquerade ->eth0.50" -j MASQUERADE
53 53
 COMMIT

Ładowanie…
Anuluj
Zapisz