adapted for vlan10 as eth0
This commit is contained in:
parent
dd58a6905e
commit
ec7d41a9b4
@ -25,10 +25,10 @@ sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m
|
|||||||
# Allow everything for trusted networks
|
# Allow everything for trusted networks
|
||||||
sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device"
|
sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device"
|
||||||
sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device"
|
sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device"
|
||||||
sudo iptables -A INPUT -j ACCEPT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device"
|
sudo iptables -A INPUT -j ACCEPT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device"
|
||||||
sudo iptables -A OUTPUT -j ACCEPT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
|
sudo iptables -A OUTPUT -j ACCEPT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
|
||||||
|
|
||||||
sudo iptables -A OUTPUT -j ACCEPT -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
|
sudo iptables -A OUTPUT -j ACCEPT -o eth0 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
|
||||||
|
|
||||||
# Add reject rule for propper feedback
|
# Add reject rule for propper feedback
|
||||||
sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic"
|
sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic"
|
||||||
@ -49,40 +49,40 @@ sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forw
|
|||||||
# -> VLAN10 (Internet)
|
# -> VLAN10 (Internet)
|
||||||
#---------------------
|
#---------------------
|
||||||
# Allow VLAN30 full access to the internet
|
# Allow VLAN30 full access to the internet
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
|
||||||
# Allow VLAN40 access to to http,https
|
# Allow VLAN40 access to to http,https
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
|
||||||
# Allow VLAN60 access to to http,https
|
# Allow VLAN60 access to to http,https
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
|
||||||
|
|
||||||
#--------------------
|
#--------------------
|
||||||
# -> VLAN20 (Network)
|
# -> VLAN20 (Network)
|
||||||
#--------------------
|
#--------------------
|
||||||
# Allow VLAN30 full access
|
# Allow VLAN30 full access
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
|
||||||
|
|
||||||
#--------------------------------------
|
#--------------------------------------
|
||||||
# -> VLAN30 (Family) - VERY RESTRICTIVE
|
# -> VLAN30 (Family) - VERY RESTRICTIVE
|
||||||
#--------------------------------------
|
#--------------------------------------
|
||||||
# Allow VLAN40 and VLAN50 access to the mqtt port
|
# Allow VLAN40 and VLAN50 access to the mqtt port
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
|
||||||
|
|
||||||
|
|
||||||
#-------------------------------
|
#-------------------------------
|
||||||
# -> VLAN40 (Untrusted Internet)
|
# -> VLAN40 (Untrusted Internet)
|
||||||
#-------------------------------
|
#-------------------------------
|
||||||
# Allow VLAN30 full access
|
# Allow VLAN30 full access
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
|
||||||
|
|
||||||
#---------------------------------
|
#---------------------------------
|
||||||
# -> VLAN50 (Untrusted no Internet
|
# -> VLAN50 (Untrusted no Internet
|
||||||
#---------------------------------
|
#---------------------------------
|
||||||
# Allow VLAN30 full access
|
# Allow VLAN30 full access
|
||||||
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
|
sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
|
||||||
|
|
||||||
#------------------
|
#------------------
|
||||||
# -> VLAN60 (Gäste)
|
# -> VLAN60 (Gäste)
|
||||||
@ -93,9 +93,9 @@ sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comm
|
|||||||
#----------------------
|
#----------------------
|
||||||
# Masquerade traffic to
|
# Masquerade traffic to
|
||||||
#----------------------
|
#----------------------
|
||||||
sudo iptables -t nat -A POSTROUTING -o eth0.10 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
|
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
|
||||||
sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20"
|
sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20"
|
||||||
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
|
sudo iptables -t nat -A POSTROUTING -o eth0.30 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
|
||||||
sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40"
|
sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40"
|
||||||
sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50"
|
sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50"
|
||||||
|
|
||||||
|
|||||||
32
rules.v4
32
rules.v4
@ -10,23 +10,23 @@
|
|||||||
-A INPUT -p udp -m udp --dport 123 -m comment --comment "accept incomming ntp" -j ACCEPT
|
-A INPUT -p udp -m udp --dport 123 -m comment --comment "accept incomming ntp" -j ACCEPT
|
||||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all incomming established and related trafic" -j ACCEPT
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all incomming established and related trafic" -j ACCEPT
|
||||||
-A INPUT -i lo -m comment --comment "accept all incoming traffic of loopback device" -j ACCEPT
|
-A INPUT -i lo -m comment --comment "accept all incoming traffic of loopback device" -j ACCEPT
|
||||||
-A INPUT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device" -j ACCEPT
|
-A INPUT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device" -j ACCEPT
|
||||||
-A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT --reject-with icmp-port-unreachable
|
-A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT --reject-with icmp-port-unreachable
|
||||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "forward all established and related traffic" -j ACCEPT
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "forward all established and related traffic" -j ACCEPT
|
||||||
-A FORWARD -p icmp -m icmp --icmp-type 8 -m comment --comment "forward all pings" -j ACCEPT
|
-A FORWARD -p icmp -m icmp --icmp-type 8 -m comment --comment "forward all pings" -j ACCEPT
|
||||||
-A FORWARD -p udp -m udp --dport 123 -m comment --comment "forward all ntp request" -j ACCEPT
|
-A FORWARD -p udp -m udp --dport 123 -m comment --comment "forward all ntp request" -j ACCEPT
|
||||||
-A FORWARD -p udp -m udp --sport 123 -m comment --comment "forward all ntp request" -j ACCEPT
|
-A FORWARD -p udp -m udp --sport 123 -m comment --comment "forward all ntp request" -j ACCEPT
|
||||||
-A FORWARD ! -d 192.168.0.0/16 -i eth0 -o eth0.10 -m comment --comment "forward all traffic from vlan30 to the internet" -j ACCEPT
|
-A FORWARD ! -d 192.168.0.0/16 -i eth0.30 -o eth0 -m comment --comment "forward all traffic from vlan30 to the internet" -j ACCEPT
|
||||||
-A FORWARD -d 192.168.0.0/24 -i eth0 -o eth0.10 -m comment --comment "forward all traffic from vlan30 to vlan10" -j ACCEPT
|
-A FORWARD -d 192.168.0.0/24 -i eth0.30 -o eth0 -m comment --comment "forward all traffic from vlan30 to vlan10" -j ACCEPT
|
||||||
-A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0.10 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet" -j ACCEPT
|
-A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet" -j ACCEPT
|
||||||
-A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0.10 -p tcp -m tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher" -j ACCEPT
|
-A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0 -p tcp -m tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher" -j ACCEPT
|
||||||
-A FORWARD ! -d 192.168.0.0/16 -i eth0.60 -o eth0.10 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet" -j ACCEPT
|
-A FORWARD ! -d 192.168.0.0/16 -i eth0.60 -o eth0 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet" -j ACCEPT
|
||||||
-A FORWARD -d 192.168.20.0/24 -i eth0 -o eth0.20 -m comment --comment "forward traffic from vlan30 to VLAN20" -j ACCEPT
|
-A FORWARD -d 192.168.20.0/24 -i eth0.30 -o eth0.20 -m comment --comment "forward traffic from vlan30 to VLAN20" -j ACCEPT
|
||||||
-A FORWARD -d 192.168.30.0/24 -i eth0.40 -o eth0 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30" -j ACCEPT
|
-A FORWARD -d 192.168.30.0/24 -i eth0.40 -o eth0.30 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30" -j ACCEPT
|
||||||
-A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30" -j ACCEPT
|
-A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0.30 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30" -j ACCEPT
|
||||||
-A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0 -p tcp -m tcp --dport 21 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)" -j ACCEPT
|
-A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0.30 -p tcp -m tcp --dport 21 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)" -j ACCEPT
|
||||||
-A FORWARD -d 192.168.40.0/24 -i eth0 -o eth0.40 -m comment --comment "forward traffic from vlan30 to VLAN40" -j ACCEPT
|
-A FORWARD -d 192.168.40.0/24 -i eth0.30 -o eth0.40 -m comment --comment "forward traffic from vlan30 to VLAN40" -j ACCEPT
|
||||||
-A FORWARD -d 192.168.50.0/24 -i eth0 -o eth0.50 -m comment --comment "forward traffic from vlan30 to VLAN50" -j ACCEPT
|
-A FORWARD -d 192.168.50.0/24 -i eth0.30 -o eth0.50 -m comment --comment "forward traffic from vlan30 to VLAN50" -j ACCEPT
|
||||||
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "accept outgoing pings" -j ACCEPT
|
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "accept outgoing pings" -j ACCEPT
|
||||||
-A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "accept outgoing dhcp" -j ACCEPT
|
-A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "accept outgoing dhcp" -j ACCEPT
|
||||||
-A OUTPUT -p udp -m udp --dport 53 -m comment --comment "accept outgoing dns" -j ACCEPT
|
-A OUTPUT -p udp -m udp --dport 53 -m comment --comment "accept outgoing dns" -j ACCEPT
|
||||||
@ -35,8 +35,8 @@
|
|||||||
-A OUTPUT -p tcp -m tcp --dport 22 -m comment --comment "accept outgoing ssh" -j ACCEPT
|
-A OUTPUT -p tcp -m tcp --dport 22 -m comment --comment "accept outgoing ssh" -j ACCEPT
|
||||||
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all outgoing established and related trafic" -j ACCEPT
|
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all outgoing established and related trafic" -j ACCEPT
|
||||||
-A OUTPUT -o lo -m comment --comment "accept all outgoing traffic of the loopback device" -j ACCEPT
|
-A OUTPUT -o lo -m comment --comment "accept all outgoing traffic of the loopback device" -j ACCEPT
|
||||||
-A OUTPUT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device" -j ACCEPT
|
-A OUTPUT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device" -j ACCEPT
|
||||||
-A OUTPUT ! -d 192.168.0.0/16 -o eth0.10 -m comment --comment "accept all outgoing traffic to the internet" -j ACCEPT
|
-A OUTPUT ! -d 192.168.0.0/16 -o eth0 -m comment --comment "accept all outgoing traffic to the internet" -j ACCEPT
|
||||||
COMMIT
|
COMMIT
|
||||||
# Completed on Mon Oct 2 20:48:26 2023
|
# Completed on Mon Oct 2 20:48:26 2023
|
||||||
# Generated by iptables-save v1.8.7 on Mon Oct 2 20:48:26 2023
|
# Generated by iptables-save v1.8.7 on Mon Oct 2 20:48:26 2023
|
||||||
@ -45,9 +45,9 @@ COMMIT
|
|||||||
:INPUT ACCEPT [0:0]
|
:INPUT ACCEPT [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
-A POSTROUTING -o eth0.10 -m comment --comment "masquerade ->eth0.10" -j MASQUERADE
|
-A POSTROUTING -o eth0 -m comment --comment "masquerade ->eth0.10" -j MASQUERADE
|
||||||
-A POSTROUTING -o eth0.20 -m comment --comment "masquerade ->eth0.20" -j MASQUERADE
|
-A POSTROUTING -o eth0.20 -m comment --comment "masquerade ->eth0.20" -j MASQUERADE
|
||||||
-A POSTROUTING -o eth0 -m comment --comment "masquerade ->eth0.30" -j MASQUERADE
|
-A POSTROUTING -o eth0.30 -m comment --comment "masquerade ->eth0.30" -j MASQUERADE
|
||||||
-A POSTROUTING -o eth0.40 -m comment --comment "masquerade ->eth0.40" -j MASQUERADE
|
-A POSTROUTING -o eth0.40 -m comment --comment "masquerade ->eth0.40" -j MASQUERADE
|
||||||
-A POSTROUTING -o eth0.50 -m comment --comment "masquerade ->eth0.50" -j MASQUERADE
|
-A POSTROUTING -o eth0.50 -m comment --comment "masquerade ->eth0.50" -j MASQUERADE
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user