Re: [iptables] Zone based rules

["Magosányi, Árpád" <m4gw4s () gmail com>]

On 04/09/2013 05:41 PM, Jimmy Thrasibule wrote:
>   # Zones creation.
>   -N ZONE_MRKT
>   -N MRKT_OUT
>
>   -N ZONE_SRV
>   -N SRV_IN
>
>   # Traffic coming from the zones.
>   -A FORWARD -i eth0 ZONE_MRKT
>   -A FORWARD -i eth1 ZONE_SRV
>
>   # Traffic to the zones.
>   -A FORWARD -o eth0 ZONE_MRKT
>   -A FORWARD -o eth1 ZONE_SRV
>
>
>   # Let's look at marketing.
>   -A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT
>   # Marketing allows any outgoing traffic.
>   -A MRKT_OUT -j ACCEPT
>
>   # Servers
>   -A ZONE_SRV -o eth1 -s any/0 -d ser.ver.s.net/mask -j SRV_IN
>   -A SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP
>
>
> In this example traffic leaving a zone is checked first so any traffic
> from marketing is allowed while the servers zone denies traffic from
> marketing.
>
> In can change the rules order but this will not solve the problem.
What about using the RETURN target instead of ACCEPT, and denying
everything in the zone-specific chain?
I believe it would solve the problem.
Having an IN and an OUT chain for each zone would mean more efficient
processing also.

KZORP ( https://github.com/balabit/kzorp ) have a notion of zone
hierarchy. You might want to take a look at it.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards