Thread: A Network Moron Sheepishly Requests Advice
View Single Post
id10t id10t is online now
Registered
 
id10t's Avatar
 
Join Date: Mar 2003
Posts: 10,499
This should work. A B and C networks can only go out to world and have related/established connections come back in. No access from A to B or C, etc.

Note that your device names will be different from the eth0, eth1, etc. and you will need physical devices not aliases/secondary addresses on a single NIC

Should work on any Linux distro from the past 15 years....

Code:
#!/bin/bash
# a very simple set of iptables commands 
# to allow forwarding between ethernet
# devices

# enable ipv4 forwarding in /etc/sysctl.conf before using!

# these almost certainly need 
# to be changed
WAN_DEVICE=eth0
LAN_A_DEVICE=eth1 
LAN_B_DEVICE=eth2
LAN_C_DEVICE=eth3

# where is iptables located?
iptables=`which iptables`

# flush all existing rules
$iptables -F

# this is for NAT
# enable masquerading
# not needed if you have routable addresses on both sides
$iptables -t nat -A POSTROUTING -o $WAN_DEVICE -j MASQUERADE

# don't forward packets from off-lan to lan if
# they are a brand new connection being formed
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_A_DEVICE -m state --state NEW -j REJECT
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_B_DEVICE -m state --state NEW -j REJECT
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_C_DEVICE -m state --state NEW -j REJECT

#Block A to B and C, and variations thereof

$iptables -A FORWARD -i $LAN_A_DEVICE -o $LAN_B_DEVICE -m state --state NEW -j REJECT
$iptables -A FORWARD -i $LAN_A_DEVICE -o $LAN_C_DEVICE -m state --state NEW -j REJECT
$iptables -A FORWARD -i $LAN_B_DEVICE -o $LAN_A_DEVICE -m state --state NEW -j REJECT
$iptables -A FORWARD -i $LAN_B_DEVICE -o $LAN_C_DEVICE -m state --state NEW -j REJECT
$iptables -A FORWARD -i $LAN_C_DEVICE -o $LAN_A_DEVICE -m state --state NEW -j REJECT
$iptables -A FORWARD -i $LAN_C_DEVICE -o $LAN_B_DEVICE -m state --state NEW -j REJECT

# if the packets come from off-lan but they are
# related to a connection that was established from
# within the lan, go ahead and forward them
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_A_DEVICE -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_B_DEVICE -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_C_DEVICE -m state --state RELATED,ESTABLISHED -j ACCEPT



# whatever traffic comes from the lan to go to
# the world allow thru
$iptables -A FORWARD -i $LAN_A_DEVICE -o $WAN_DEVICE -j ACCEPT
$iptables -A FORWARD -i $LAN_B_DEVICE -o $WAN_DEVICE -j ACCEPT
$iptables -A FORWARD -i $LAN_C_DEVICE -o $WAN_DEVICE -j ACCEPT
__________________
“IN MY EXPERIENCE, SUSAN, WITHIN THEIR HEADS TOO MANY HUMANS SPEND A LOT OF TIME IN THE MIDDLE OF WARS THAT HAPPENED CENTURIES AGO.”
Old 03-17-2026, 02:22 AM
  Pelican Parts Catalog | Tech Articles | Promos & Specials    Reply With Quote #14 (permalink)