[Firewall] TRUSTED_IF not showing up

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu Nov 7 05:41:12 CET 2013


Chris,

If you issue "iptables -nvL INPUT" you will see the "br1" in #11..
--
0     0 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0
--

But, let's take a step back, the TRUSTED_IF="" should only be used for special situations as it is marked as (EXPERT SETTING!).

While there is no one solution, you might try setting br2 as a DMZ interface... (no TRUSTED_IF)

INT_IF="br1"
INTERNAL_NET="192.168.1.0/24"
DMZ_IF="br2"
DMZ_NET="192.168.2.0/24"
NAT_INTERNAL_NET="192.168.1.0/24 192.168.2.0/24"
NAT=1

# Allow DNS and DHCP to Local on DMZ
DMZ_HOST_OPEN_UDP="0/0~53,67"

# Allow br2 to LAN for select host/ports, eg. IPP Printer
DMZ_LAN_HOST_OPEN_TCP="0/0>192.168.1.20~631"

# Note all of br2 is reachable by br1 by default in this scenario, br1 is not reachable by br2

# both br1 and br2 may reach the external network (internet)

Lonnie


On Nov 6, 2013, at 6:51 PM, Chris Vavruska wrote:

> Since I didnt get any reply for my last issue I thought I would pose a more pointed question:
> 
> I have a config line that looks like:
> 
> TRUSTED_IF="br1"
> 
> I see in the script it executes
> iptables -A INPUT -i $interface -j ACCEPT
> 
> which give me output:
> Accepting ALL INPUT packets from trusted interface(s): br1
> 
> Why don't I see a rule in the INPUT chain for br1?
> 
> Chain INPUT (policy DROP)
> num  target     prot opt source               destination         
> 1    BASE_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0           
> 2    INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0           
> 3    HOST_BLOCK_SRC  all  --  0.0.0.0/0            0.0.0.0/0           
> 4    SPOOF_CHK  all  --  0.0.0.0/0            0.0.0.0/0           
> 5    VALID_CHK  all  --  0.0.0.0/0            0.0.0.0/0           
> 6    EXT_INPUT_CHAIN !icmp --  0.0.0.0/0            0.0.0.0/0            state NEW
> 7    EXT_INPUT_CHAIN  icmp --  0.0.0.0/0            0.0.0.0/0            state NEW limit: avg 60/sec burst 100
> 8    EXT_ICMP_FLOOD_CHAIN  icmp --  0.0.0.0/0            0.0.0.0/0            state NEW
> 9    INT_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0           
> 10   INT_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0           
> 11   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> 12   POST_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0           
> 13   LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "AIF:Dropped INPUT packet: "
> 14   DROP       all  --  0.0.0.0/0            0.0.0.0/0           
> 
> What would cause me to not see the rule in the table?
> 
> Thanks,
> 
> Chris



More information about the Firewall mailing list