hi i need help with config iptables for g01 attached photo above..
On Router g01:
Configure TCP Wrappers to allow ssh only from a list of specific nodes on black. Include 10.3.1.1 in this list so that you can ssh to the gateway.??
can anyone help me?
For traffic to pass through this device you nee to change your rules from INPUT to FORWARD
INPUT means the traffic stops at this device
OUTPUT means traffic originates from this device
FORWARD means traffic passes through this device.
One thing I would suggest is you not mix STATEFUL (as you have with your icmp rules) with CONNECTION (as you have with your ssh rules) based firewall rules.
STATEFUL are rules that look at the connection state new, established and related
CONNECTION are rules that only look at the ports 22, 80, 443, ect.
I would suggest staying with STATEFUL rules.
What are you looking for? I gave you what you needed to do and then you edit your original post and remove the rules you already had listed and post again for help.
Here is a LINK to a TUTORIAL where you can learn IPTABLES.
If you cannot understand what I stated above let me know.
this doesnt work yes i need help
i only want the blue zone to ssh to the red zone. the red zone cant ssh back to blue zone
on r01 Router
Allow ssh from blue to red
iptables -A INPUT -s 10.2.0.0/16 -p tcp --dport 22 -j accept
iptables -A output -s 10.2.0.0/16 -p tcp --sport 22 -j accept
Allow http from blue to red (required for patching)
iptables -A INPUT -s 10.2.0.0/16 -p tcp --dport 80 -j accept
iptables -A OUTPUT -s 10.2.0.0/16 -p tcp --sport 80 -j accept
Allow pings both ways
iptables -A INPUT -p icmp -d 0/0 -j ACCEPT
iptables -A OUTPUT -p icmp -d 0/0 -j ACCEPT
Allow nothing else
iptables -A INPUT -j DROP
I explained in my first post the difference between INPUT, OUTPUT and FORWARD. You are going to have to change your rules from INPUT to FORWARD and also turn on forwarding on the system. You should also change your rules from connection to stateful. Here is a sample of what you need;
The above rules will allow ssh from blue to red. See the tutorial in my second post to learn how to setup up your rules and what they do.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP
no this doesn't work.. thanks anyways