1

I cannot get this one rule working right.

My interfaces:

#WAN
auto wan0
iface wan0 inet dhcp

#LAN
auto lan0.7
iface lan0.7 inet static
    address 172.17.7.1
    netmask 255.255.255.0
    vlan-raw-device lan0

#DMZ
auto lan0.17
iface lan0.17 inet static
    address 172.17.17.1
    netmask 255.255.255.0
    vlan-raw-device lan0

The iptables rule I am having trouble with:

iptables -A FORWARD -i lan0.17 -o lan0.7 -j DROP

The goal here is to block DMZ traffic to LAN, but to allow it the other way around.  The rule above cuts LAN to DMZ too.  What am I doing wrong here?

Output of iptables -nvL:

Chain INPUT (policy ACCEPT 578 packets, 70339 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                              

Chain FORWARD (policy ACCEPT 2062 packets, 173K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                              
  164 13776 DROP       0    --  lan0.17 lan0.7  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                               

Chain OUTPUT (policy ACCEPT 402 packets, 33334 bytes)
 pkts bytes target     prot opt in     out     source               destination
Improve this question
3
  • Could you share the output of iptables -nvL, please? Also, how do you know that traffic is dropped from LAN do DMZ? Commented Mar 4, 2024 at 21:30
  • Hi, please bear with me, I am still trying to figure my way with iptables. I am testing this by pinging LAN PC to DMZ PC and vice versa. Thank you for the answer! I edited my post with iptables -nvL Commented Mar 4, 2024 at 21:40
  • I fixed again the layout. Next time you add a command, a command output or code, just check how to use the formatting. For this use the {} Code sample icon. Commented Mar 4, 2024 at 21:49

1 Answer 1

Reset to default
1

Traffic goes both ways, especially for TCP: to get traffic from lan0.7 to lan0.17, reply traffic, from lan0.17 to lan0.7, starting with the initial reply: SYN/ACK, has to be allowed, else communication can't work (the LAN client will have SYN-SENT and the DMZ server will have SYN-RECV states). So use a stateful rule that queries Netfilter's conntrack (which tracks all flows states seen by the system) to first allow reply traffic (and related traffic, such as ICMP errors). What remains isn't reply traffic: filter it as needed, like dropping from lan0.17 to lan0.7 what weren't replies (already accepted in previous rules):

iptables -A FORWARD -i lan0.17 -o lan0.7 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i lan0.17 -o lan0.7 -j DROP

Actually there's no reason to further filter the conntrack state rule: it could be used for multiple simultaneous cases and one rule can handle them all one. So just don't state what interfaces it applies to:

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i lan0.17 -o lan0.7 -j DROP
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.