How to split a zone in sub zones
-
Upload
palimarium -
Category
Documents
-
view
55 -
download
0
description
Transcript of How to split a zone in sub zones
How to split a zone in sub zones
Da Purple s.r.l..
Contents
1 Preface2 Isolating two interface in the same zone3 How to block a specific network VLAN in order to not be able to use another ip address4 Conclusions
Preface
Normally Endian Firewall put in a bridge of all the interfaces with in the same zone, this happenswith virtual interfaces (VLAN) as well. For example br0 (green) may contain eth0, eth1 and thosedevices you choose as belonging to green zone.
For many reasons you may want to split a zone in additional sub-zones that don't see each other. Forstructure limit you can't remove a interface from a bridge but you have to make a small hack, you willhave a not bridged bridge.
You can create a new zone with the help of interzone firewall rules you will see below how to do.
Isolating two interface in the same zone
Create block rules from interface1 to interface2 and vice versa.Create all the allow rules you need, be careful these rules must be kept over the block rulesBest option is to select the ETHER service so that the rules are at layer 2
Below two examples of configuration, the first one is useful to test the environment because allowsping.
Below a configuration which allows only http protocol from interface 1 to interface 2.
How to block a specific network VLAN in order to not be ableto use another ip address
!/bin/sh Used for private firewall rules
See how we were called. case "$1" in start) * add your 'start' rules here
''' Rules to bind a subnet to an interface/vlan '''
* VLAN 201 iptables -A CUSTOMFORWARD -s 10.10.201.0/24 -m physdev --physdev-in eth5.201 -d 0/0 -j RETURN iptables -A CUSTOMFORWARD -s 0/0 -m physdev --physdev-in eth5.201 -d 0/0 -j DROP* VLAN 202 iptables -A CUSTOMFORWARD -s 10.10.202.0/24 -m physdev --physdev-in eth5.202 -d 0/0 -j RETURN iptables -A CUSTOMFORWARD -s 0/0 -m physdev --physdev-in eth5.202 -d 0/0 -j DROP* VLAN 203 iptables -A CUSTOMFORWARD -s 10.10.203.0/24 -m physdev --physdev-in eth5.203 -d 0/0 -j RETURN iptables -A CUSTOMFORWARD -s 0/0 -m physdev --physdev-in eth5.203 -d 0/0 -j DROP
''' Add rules to forbid traffic destinated to the firewall (proxies, management, ecc) '''
* VLAN 201 iptables -A CUSTOMINPUT -s 10.10.201.0/24 -m physdev --physdev-in eth5.201 -d 0/0 -j RETURN iptables -A CUSTOMINPUT -s 0/0 -m physdev --physdev-in eth5.201 -d 0/0 -j DROP* VLAN 202 iptables -A CUSTOMINPUT -s 10.10.202.0/24 -m physdev --physdev-in eth5.202 -d 0/0 -j RETURN iptables -A CUSTOMINPUT -s 0/0 -m physdev --physdev-in eth5.202 -d 0/0 -j DROP* VLAN 203 iptables -A CUSTOMINPUT -s 10.10.203.0/24 -m physdev --physdev-in eth5.203 -d 0/0 -j RETURN iptables -A CUSTOMINPUT -s 0/0 -m physdev --physdev-in eth5.203 -d 0/0 -j DROP
;; stop) * add your 'stop' rules here
* Flushes custom chains iptables -F CUSTOMFORWARD iptables -F CUSTOMINPUT
;; reload)
* add your 'reload' rules here ;; *) echo "Usage: $0 {start|reload|stop}" esac