I'm trying to isolate LAN segments, but I can't seem to get the iptables rules to work the way the ClearOS example says they should.
Two NICS providing LAN segments should be segregated, as one is for management, the other is for users.
Please see attachment for input and results.
1 snippet straight from ClearOS docs. I believe I'm duplicating this correctly.
2 the NICs in question, as seen in webconfig GUI
3 the commands entered in CLI
4 the resulting output from "iptables -L -n -v --line-numbers"
5 the ping still going through
Two NICS providing LAN segments should be segregated, as one is for management, the other is for users.
Please see attachment for input and results.
1 snippet straight from ClearOS docs. I believe I'm duplicating this correctly.
2 the NICs in question, as seen in webconfig GUI
3 the commands entered in CLI
4 the resulting output from "iptables -L -n -v --line-numbers"
5 the ping still going through
Share this post:
Accepted Answer
The rules look OK but not the testing. The INPUT chain is used for blocking traffic into the server and the FORWARD chain for blocking traffic through the server. Try your ping test to a LAN device rather than the LAN interface, but note it is better to avoid a Windows machine as a ping target as they generally block pings from outside your own subnet. If you have a printer or something like that, try pinging it.
Note that if you want management to be able to access the user LAN, only one rule should be used to block traffic from the user LAN (-i) to the management LAN (-o), and add the following to your rule:
Note that if you want management to be able to access the user LAN, only one rule should be used to block traffic from the user LAN (-i) to the management LAN (-o), and add the following to your rule:
-m conntrack --ctstate NEW
Then replies back to the management should still get through. Responses (4)
-
Accepted Answer
You can either make your DC ClearOS's upstream resolver or you can go for split horizon in Dnsmasq. For split horizon, again, add a file in /etc/dnsmasq.d/ and in it put something like:
Have a look at "man dnsmasq" for more information. Just be careful that you do not set up a DNS loop, e.g. if you make the DC ClearOS's upstream resolver, the DC then has to use something other than ClearOS as its upstream resolver.server=/your_domain/your_DC_IP
-
Accepted Answer
The relevant entries/targets would be servers on the user branch in a windows subdomain. Clear doesn't handle dns for the windows domain, so I suspect this approach won't work. Not sure how to approach it, or if it's even worth it.
Maybe windows DNS can do it all with lookup zones. I'll have to read. -
Accepted Answer
If you want ClearOS to resolve an FQDN to a different IP dependent on your LAN, either add a line to /etc/dnsmasq.conf:
Or create a file in /etc/dnsmasq.d/ and put the same line in it. dnsmasq will then hand out an IP from /etc/hosts specific to an interface where possible, if one exists. If only one line exists for that FQDN, it will hand out the same IP to all interfaces.localise-queries
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »