[Tfug] Looking for help with CIDR block setup
lighthacker
lighthacker at gmail.com
Fri Nov 5 22:11:20 MST 2010
More information: I did a "nvram show | grep vlan.ports" and this is what I saw.
vlan2ports=0 8
vlan0ports=1 2 3 4 5*
ping_ip=nvram show | grep vlan.ports
vlan1ports=4 3 2 1 8*
vlan1 is the NATed ports and should be 1 and 2 via the web interface
vlan2 is the DMZ and should be 3 and 4 also via the web interface.
Clearly this is not the case.
The firewall rules I setup are as follows:
# gateway mode, vlan3 nat disabled
PUBCIDR="68.14.242.192/28"
MYIP="68.14.242.193"
# optional BASTION host
BASTION="68.14.242.199"
LANET="192.168.1.0/24"
WANIP="70.167.214.177"
# drop obvious spoof attempts
iptables -t nat -N chkspoof
iptables -t nat -A chkspoof -s 192.168.0.0/16 -j DROP
iptables -t nat -A chkspoof -s 172.16.0.0/12 -j DROP
iptables -t nat -A chkspoof -s 10.0.0.0/8 -j DROP
iptables -t nat -I PREROUTING -i vlan2 -j chkspoof
iptables -t nat -I PREROUTING -i vlan3 -j chkspoof
# disable NAT for PUBCIDR => WAN
iptables -t nat -I POSTROUTING -s $PUBCIDR -j ACCEPT
# NAT private lan to PUBLIC net
iptables -t nat -I POSTROUTING -o vlan3 -s $LANET -j SNAT --to-source $MYIP
# allow access to routed PUBLIC net
# block access to GUI from internet, allow from bastion host
iptables -I FORWARD -d $PUBCIDR -j ACCEPT
iptables -I FORWARD -d $MYIP -j DROP
iptables -I FORWARD -s $BASTION -d $MYIP -j ACCEPT
# block PUBCIDR -> LAN, allow LAN -> PUBCIDR
iptables -I FORWARD -i vlan3 -o br0 -j DROP
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# block access to GUI from PUBLIC net, allow from bastion host
iptables -I INPUT -s $PUBCIDR -d $MYIP -j DROP
# block access to WAN IP from PUBLIC net
iptables -I INPUT -s $PUBCIDR -d $WANIP -j DROP
More information about the tfug
mailing list