madunix schrieb:
> I am hosting a webservices to the public, the webserver got 2x
> interfaces; one pointing to my network LAN (10.x.x.x)
> and the other one connecting to the DMZ 192.x.x.x of the PIX.
> Inside PIX I blocked every protocol except WWW and DNS.
>>From inside the LAN I did the following rules to allow outgoing ssh,
> Oracle ports, www, ... from the private network.
>
> I want to add more rules via iptableas to _protect_ my internal LAN
> from the public packets. i.e
> to block any forwarded packets to my internal lan
>
> Destination Gateway Genmask Iface
> 10.5.0.0 0.0.0.0 255.255.0.0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 eth1
> 192.x.0.0 0.0.0.0 255.255.0.0 eth1
> 10.0.0.0 10.5.0.1 255.0.0.0 eth0
> 0.0.0.0 192.x.x.1 0.0.0.0 eth1
>
This needs a bit more explanation for to be clear. Please make an
artwork of the topology of your networks and hosts.

Greets
Chris

On Aug 5, 10:44 pm, Christoph Scheurer wrote:
> madunix schrieb:
>
>
>
> > I am hosting a webservices to the public, the webserver got 2x
> > interfaces; one pointing to my network LAN (10.x.x.x)
> > and the other one connecting to the DMZ 192.x.x.x of the PIX.
> > Inside PIX I blocked every protocol except WWW and DNS.
> >>From inside the LAN I did the following rules to allow outgoing ssh,
> > Oracle ports, www, ... from the private network.
>
> > I want to add more rules via iptableas to _protect_ my internal LAN
> > from the public packets. i.e
> > to block any forwarded packets to my internal lan
>
> > Destination Gateway Genmask Iface
> > 10.5.0.0 0.0.0.0 255.255.0.0 eth0
> > 169.254.0.0 0.0.0.0 255.255.0.0 eth1
> > 192.x.0.0 0.0.0.0 255.255.0.0 eth1
> > 10.0.0.0 10.5.0.1 255.0.0.0 eth0
> > 0.0.0.0 192.x.x.1 0.0.0.0 eth1
>
> This needs a bit more explanation for to be clear. Please make an
> artwork of the topology of your networks and hosts.
>
> Greets
> Chris- Hide quoted text -
>
> - Show quoted text -

Internet --------FW-------
DMZ----------192.x.x.x---------------------|------Web
|----------------------------LAN
10.x.x.x

madunix schrieb:
> On Aug 5, 10:44 pm, Christoph Scheurer wrote:
>> madunix schrieb:
>>
>>
>>
>>> I am hosting a webservices to the public, the webserver got 2x
>>> interfaces; one pointing to my network LAN (10.x.x.x)
>>> and the other one connecting to the DMZ 192.x.x.x of the PIX.
>>> Inside PIX I blocked every protocol except WWW and DNS.
>>> >From inside the LAN I did the following rules to allow outgoing ssh,
>>> Oracle ports, www, ... from the private network.
>>> I want to add more rules via iptableas to _protect_ my internal LAN
>>> from the public packets. i.e
>>> to block any forwarded packets to my internal lan
>>> Destination Gateway Genmask Iface
>>> 10.5.0.0 0.0.0.0 255.255.0.0 eth0
>>> 169.254.0.0 0.0.0.0 255.255.0.0 eth1
>>> 192.x.0.0 0.0.0.0 255.255.0.0 eth1
>>> 10.0.0.0 10.5.0.1 255.0.0.0 eth0
>>> 0.0.0.0 192.x.x.1 0.0.0.0 eth1
>> This needs a bit more explanation for to be clear. Please make an
>> artwork of the topology of your networks and hosts.
>>
>> Greets
>> Chris- Hide quoted text -
>>
>> - Show quoted text -
>
> Internet --------FW-------
> DMZ----------192.x.x.x---------------------|------Web
> |----------------------------LAN
> 10.x.x.x
>
for protecting the Intranet, you could use:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED - ACCEPT
iptables -A FORWARD -m state --state NEW -p tcp --syn -i eth1 -o
eth0 -j ACCEPT
iptables -A FORWARD -m state --state NEW -p udp -i eth1 -o eth0 -j
ACCEPT

That would be a stateful filter which allows all traffic originating
from the Intranet and blocking everything trying to get inside.

It can be refined.

Greets
Chris