[Firewall] How to make two internat nets visible to each other

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Feb 4 16:23:19 CET 2015


Hi Jānis,

By default all internal (LAN) segments are isolated from each other as you have demonstrated.

Assuming eth1 and eth2 are your internal interfaces, then defining:
--
IF_TRUSTS="eth1 eth2"
--
will allow those segments to forward traffic to each other.

Another solution would to only define eth1 as the internal LAN and define eth2 as the DMZ interface.  In this case the LAN can access the DMZ but the DMZ can not access the LAN or local box without adding rules such as DMZ_LAN_HOST_OPEN_xxx and DMZ_HOST_OPEN_xxx to selectively allow DMZ traffic.  By default the DMZ is allowed outbound INET traffic.

Personally, I organize my network using a DMZ interface and place internet connected media devices and such in the DMZ so if any such device fell prey to a vulnerability the damage would be limited to DMZ devices.

Lonnie

PS: Tip, if you use the DMZ technique you will probably want to allow DHCP (and possibly DNS) to the local box, for example via DMZ_HOST_OPEN_UDP="0/0~53,67,68" .



On Feb 4, 2015, at 8:12 AM, Jānis <je at ktf.rtu.lv> wrote:

> Hi there!
> have a box with 3 NICs, 1 - external and two internal serving separate private networks (192.168.1.0/24 and 192.168.2.0/24). While both private nets communicates with internet, it is not possible to see (to connect to) the servers on neighbouring private net.
> 
> I believe it is extremely simple, but how could I achieve it? Does it has anything with Arno's script configuration or it is just routing question?
> 
> Regards - Janis
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list