iptables - Block incoming on Eth1 and Allow All from eth0

security linux firewall iptables centos

I am a bit stuck with iptables to do deal with two Ethernet ports.

eth0 port for LAN use (192.168.1.50 Private IP).

eth1 port is connected to the internet via cable modem (80.0.xxx.xxx public IP).

eth0      Link encap:Ethernet  HWaddr 00:19:99:C1:86:BB
          inet addr:192.168.1.50  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:137532 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55658 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:99968969 (95.3 MiB)  TX bytes:10403525 (9.9 MiB)
          Interrupt:50 Memory:fe700000-fe720000

eth1      Link encap:Ethernet  HWaddr 00:19:99:C1:61:3B
          inet addr:80.0.xxx.xxx  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:144558 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70347 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34500131 (32.9 MiB)  TX bytes:27893843 (26.6 MiB)
          Interrupt:177 Memory:fe600000-fe620000

I wanted to block all the incoming route to eth1 but only allow port 21. Just so that external IP can't access to our web server, ftp server, etc. Only allow port 21 for SSH access. Ping should work too.

On the local network (eth0), anyone should be able to access anything but just block local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 server.

How can it be done using iptables?


I wanted to block all the incoming route to eth1 but only allow port 21. Just so that external IP can't access to our web server, ftp server, etc. Only allow port 21 for SSH access. Ping should work too.

The cleanest way would be to configure the web/ftp-servers to listen only on the internal interface. This way, you wouldn't have to worry about any networking related techniques at all.

If you can't do that for any reason, apply these rules:

iptables -A INPUT -i eth1 -p icmp -j ACCEPT           # allow ping
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT # allow SSH
iptables -A INPUT -i eth1 -j DROP                     # drop everything else

(SSH's default port is 22 by the way, but I think you know best where your SSH listens.)

On the local network (eth0), anyone should be able to access anything but just block local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 server.

Simple:

iptables -A INPUT -i eth0 -s 192.168.1.20 -j DROP 
iptables -A INPUT -i eth0 -s 192.168.1.30 -j DROP

That drops all packets from these hosts. If you want ping allowed here as well, use a similar rule for icmp like on eth1.

Related

Tool to collect and read all linux logs in one place [duplicate]
Ridiculous Exchange database restore scenario
Is it necessary to manually rebuild a sendmail.cf file or is this done automatically on service restarts?
mdadm - raid device name changed on reboot
SFP+ vs CAT6a for 10GbE
Debian apt-get update won't work
Vagrant / chef - nginx cookbook extend
OpenJDK or Oracle Java on production server
Should I disable turn off MongoDB profiler in production machine?
Can you set inode quotas in ZFS?
How should I secure a corporate wireless network?
Heterogeneous environment "roaming" profiles