Hi All,
I have configured a clients ClearOS 7 server one external NIC and one LAN NIC with the following LAN interfaces:
em2 LAN Static 192.168.237.1 "production network" configured Static with DHCP server enabled
VLAN
em2.10 LAN Static 192.168.238.1 "guest network" configured Static with DHCP server enabled
em2.20 LAN Static 192.168.239.1 "printer network" configured Static with DHCP server enabled
The intent is to allow traffic to and from the printer network from both the production and guest networks while blocking traffic between the production and guest networks. I found the following documentation: https://documentation.clearos.com/content:en_us:kb_o_custom_firewall_module_examples
Based on the section "Managing LAN-to-LAN Traffic" I've added the following rules to the Custom Firewall:
$IPTABLES -I FORWARD -i em2 -o em2.10 -j DROP
$IPTABLES -I FORWARD -i em2.10 -o em2 -j DROP
I verified at the command line the the rules were active however they did nothing to block traffic between the production and guest networks. Also all of the VLANs are working as expected.
Assuming I can get this fixed I would also like to block access from the guest and printer networks to web-config and ssh. I believe that would be done like this:
$IPTABLES -t nat -I PREROUTING -s 192.168.238.0/24 -p tcp --dport 81 -j DROP
$IPTABLES -t nat -I PREROUTING -s 192.168.238.0/24 -p tcp --dport 22 -j DROP
$IPTABLES -t nat -I PREROUTING -s 192.168.239.0/24 -p tcp --dport 81 -j DROP
$IPTABLES -t nat -I PREROUTING -s 192.168.239.0/24 -p tcp --dport 22 -j DROP
I'm not sure if I have the syntax right for the IP range for my situation I'm assuming I have the port numbers right.
Any help would be appreciated,
Thanks,
Jeff
I have configured a clients ClearOS 7 server one external NIC and one LAN NIC with the following LAN interfaces:
em2 LAN Static 192.168.237.1 "production network" configured Static with DHCP server enabled
VLAN
em2.10 LAN Static 192.168.238.1 "guest network" configured Static with DHCP server enabled
em2.20 LAN Static 192.168.239.1 "printer network" configured Static with DHCP server enabled
The intent is to allow traffic to and from the printer network from both the production and guest networks while blocking traffic between the production and guest networks. I found the following documentation: https://documentation.clearos.com/content:en_us:kb_o_custom_firewall_module_examples
Based on the section "Managing LAN-to-LAN Traffic" I've added the following rules to the Custom Firewall:
$IPTABLES -I FORWARD -i em2 -o em2.10 -j DROP
$IPTABLES -I FORWARD -i em2.10 -o em2 -j DROP
I verified at the command line the the rules were active however they did nothing to block traffic between the production and guest networks. Also all of the VLANs are working as expected.
Assuming I can get this fixed I would also like to block access from the guest and printer networks to web-config and ssh. I believe that would be done like this:
$IPTABLES -t nat -I PREROUTING -s 192.168.238.0/24 -p tcp --dport 81 -j DROP
$IPTABLES -t nat -I PREROUTING -s 192.168.238.0/24 -p tcp --dport 22 -j DROP
$IPTABLES -t nat -I PREROUTING -s 192.168.239.0/24 -p tcp --dport 81 -j DROP
$IPTABLES -t nat -I PREROUTING -s 192.168.239.0/24 -p tcp --dport 22 -j DROP
I'm not sure if I have the syntax right for the IP range for my situation I'm assuming I have the port numbers right.
Any help would be appreciated,
Thanks,
Jeff
Attachments:
Share this post:
Responses (1)
-
Accepted Answer
Hi Jeff,
Perhaps the following discussion might help you. Network Segment Setup QuestionTitle
I check my COS7 server and Nick helped me to create a custom rule using PREFILTER to allow two network segments to communicate with each other. Something like this might help or at least give you an idea of what to look for. This allows a wireless network segment **192.168.100.0/24** communicate with and access **192.168.101.0/24**. 192.168.100.2 is the wifi router.
Details are in the post linked above.$IPTABLES -I POSTROUTING -t nat -d 192.168.100.2 -s 192.168.101.0/24 -j SNAT --to-source your_ClearOS_WiFi_segment_LAN_IP
I think you may need to define the network segments with full x.x.x.x/y notation to make it work right.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »