Topic: Can I use iptables to add extra firewall rules?

[tspoon1986]

I'm setting up a network for a client, and I'm using an SME Server 7.4 as their firewall/gateway. The network looks like this:

Internet
          |
          |
          |
Non-SME Modem/Gateway (192.168.99.254)
          |
          |
          |
192.168.99.0/24 network
          |
          |
          |
SME external interface eth1 (192.168.99.2)
SME internal interface eth0 (192.168.81.1)
          |
          |
          |
192.168.81.0/24 network

So, as you can see, I'm using the SME Server to act as a gateway from the 192.168.81.0/24 network to the 192.168.99.0/24 network. It is also running dansguardian transparently.

The 192.168.81.0/24 network will be used for community college-type computer training courses, and the 192.168.99.0/24 range is an office network. So, while still sharing the internet access, I'd like to deny access from the 192.168.81.0/24 range to 192.168.99.0/24.

I tried the following iptables rule:

Code: [Select]

iptables -A FORWARD -d 192.168.99.0/255.255.255.0 -i eth0 -j DROP
but I could still ping the 192.168.99.0/24 range from 192.168.81.0/24, even after a signal-event post-upgrade and signal-event reboot.

Have I just made a small mistake in the iptables command, or is this completely the wrong way to go about it? I realise I could build another firewall to protect the 192.168.99.0/24 range, but it would be a whole lot less hassle if there was a simple way I could get SME to do it.

Thanks in advance.

[David Harper]

The information in the wiki should help you to accomplish this.

[tspoon1986]

Thanks for that, I'll give it a try. I did try searching the wiki for iptables, but didn't think to search for firewall!

[CharlieBrady]

Have I just made a small mistake in the iptables command, or is this completely the wrong way to go about it?

You are using "append" which adds your DROP rule after packets have already been permitted (via local_chk).

But you are also going about it the wrong way. If you want to protect a network, you really should be segregating its traffic, not setting up a passthrough channel.

[gzartman]

I realize I could build another firewall to protect the 192.168.99.0/24 range, but it would be a whole lot less hassle if there was a simple way I could get SME to do it.

There are likely some firewall tricks you could do on SME, but I think your best bet is setup another router/gateway for your 99.0/24 subnet and modify your SME subnet to use the main WAN gateway.  You don't need to spend alot of money on another gateway.  You could setup another SME box or buy a $40 consumer grade router (Office Depot). 

In summary, you would be setting up a gateway/router for each subnet you wish to deploy, each of which will use your primary router/gateway as the subnet gateway.  This will provide you the most control over security and will also simplify deployment.