Revisions to Is it possible to prevent eth0 network traffic from accessing eth1 network?

deleted 232 characters in body

Source Link

edited Jan 13, 2019 at 21:42

58k
28
156
238

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

EDIT 2

below is my iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Thanks in advance.

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

EDIT 2

below is my iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Thanks in advance.

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible?

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

EDIT 2

below is my iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

further information according to

Source Link

edited Aug 28, 2014 at 12:39

black sensei

185
4
13

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

EDIT 2

below is my iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Thanks in advance.

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

Thanks in advance.

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

EDIT 2

below is my iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Thanks in advance.

further information according to

Source Link

edited Aug 28, 2014 at 12:28

black sensei

185
4
13

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

Thanks in advance.

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

Thanks in advance.

I am not really sure how this is possible but I have a linux(ubuntu 14.04) box with 2 interfaces. eth0 is connected to our lan 192.168.0.* and eth1 is connected to a dlink wifi router on network 192.168.3.* .

Wifi network is only available for mobile devices. They are only supposed to access a web application installed on the box. I want to prevent any eventualities such as accessing 192.168.0.* network even if someone gets authorized access to the box via ssh.

Is something like that possible? if yes please explain how to and give any resource you have for better understanding. Networking is not my strongest area but can understand much of the concept when explained clearly so please bear with me.

EDIT

In /etc/sysctl.conf I have now net.ipv4.ip_forward=0 with sudo -p /etc/sysctl.conf with a restart of the machine. But it didn't work. I can ping 192.168.0.* network

#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0

Thanks in advance.

added 1 character in body

Source Link

edited Aug 28, 2014 at 11:29

cuonglm

158.2k
41
342
420

Loading

Source Link

asked Aug 28, 2014 at 11:27

black sensei

185
4
13

Loading

Stack Exchange Network

Return to Question