[Firewall] vlan traffic

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Mar 1 23:04:35 CET 2010


Matthew,

Also take a look at the IF_TRUSTS variable, it can be more restrictive (secure) than the TRUSTED_IF variable.

IF_TRUSTS="eth1.2 eth1.3"

would allow VLAN's 2 & 3 talk to each other, no others.

IF_TRUSTS="eth1.2 eth1.3|eth1.4 eth1.5"

would allow VLAN's 2 & 3 and VLAN's 4 & 5 talk to each other, no others.

Lonnie


On Mar 1, 2010, at 2:50 PM, Matthew Nelson wrote:

> to answer my own question...
> 
> apparently having: 
> TRUSTED_IF="eth1.2"
> 
> does the trick.  
> 
> :)
> 
> On Mon, Mar 1, 2010 at 3:36 PM, Matthew Nelson <matt at aa-technology.com> wrote:
> Hi All,
> 
> I've got several vlans setup on the internal interface (eth1).  currently, all machines can access the internet, but none of the vlans can communicate with each other (expected behavior).  I'd like to have 1 vlan be accessible from the rest of them, but i'm not sure on the syntax.
> 
> I'm using version 1.9.2j
> 
> pertinent config: 
> INT_IF="eth1 eth1.2 eth1.3 eth1.4 eth1.5"
> INTERNAL_NET="192.168.51.0/24 192.168.52.0/24 192.168.53.0/24 192.168.54.0/24 192.168.55.0/24"
> INT_NET_BCAST_ADDRESS="192.168.51.255 192.168.52.255 192.168.53.255 192.168.54.255 192.168.55.255"
> NAT="1"
> 
> i assumed that using the following command would enable the traffic, but it does not:
> iptables -A FORWARD -s 192.168.52.0/24 -d 192.168.53.0/24 -j ACCEPT
> 
> which would essentially allow traffic from vlan2 to vlan3, but when i enter this command manually or in /etc/arno-iptables-firewall/custom-rules it is not allowing the traffic.
> 
> i tried enabling ip_foward in /etc/sysctl.conf:
> net.ipv4.ip_forward=1
> 
> which didn't work either.
> 
> any suggestions?
> 
> Thanks!
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list