Merge pull request #27 from iArcanic/firewall-rules

Firewall rules
iArcanic · Jul 20, 2023 · 881ea58 · 881ea58
2 parents a5e492c + c0c5a3c
commit 881ea58
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/Central-router.startup b/Central-router.startup
@@ -28,3 +28,42 @@ ip link set up dev eth5
 # Gateway IP for Management-switch
 ip addr add 10.0.6.1/24 dev eth6
 ip link set up dev eth6
+
+# Firewall rules
+
+# Allow outgoing ICMP Echo Request (ping) from Management subnet to all other subnets
+iptables -A FORWARD -i eth6 -o eth2 -s 10.0.6.0/24 -d 10.0.2.0/24 -p icmp --icmp-type 8 -j ACCEPT
+iptables -A FORWARD -i eth6 -o eth3 -s 10.0.6.0/24 -d 10.0.3.0/24 -p icmp --icmp-type 8 -j ACCEPT
+iptables -A FORWARD -i eth6 -o eth4 -s 10.0.6.0/24 -d 10.0.4.0/24 -p icmp --icmp-type 8 -j ACCEPT
+iptables -A FORWARD -i eth6 -o eth5 -s 10.0.6.0/24 -d 10.0.5.0/24 -p icmp --icmp-type 8 -j ACCEPT
+
+# Drop incoming ICMP Echo Request (ping) from all other subnets to Management subnet
+iptables -A FORWARD -i eth1 -o eth6 -s 10.0.1.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth2 -o eth6 -s 10.0.2.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth3 -o eth6 -s 10.0.3.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth4 -o eth6 -s 10.0.4.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth5 -o eth6 -s 10.0.5.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+
+# Drop outgoing ICMP Echo Request (ping) from DMZ subnet to all other subnets
+iptables -A FORWARD -i eth1 -o eth2 -s 10.0.1.0/24 -d 10.0.2.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth3 -s 10.0.1.0/24 -d 10.0.3.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth4 -s 10.0.1.0/24 -d 10.0.4.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth5 -s 10.0.1.0/24 -d 10.0.5.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth6 -s 10.0.1.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+
+# Drop incoming ICMP Echo Request (ping) from all other subnets to DMZ subnet
+iptables -A FORWARD -i eth2 -o eth1 -s 10.0.2.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth3 -o eth1 -s 10.0.3.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth4 -o eth1 -s 10.0.4.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth5 -o eth1 -s 10.0.5.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth6 -o eth1 -s 10.0.6.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+
+# Allow incoming ICMP Echo Request (ping) from External subnet to specific machines in Server subnet
+iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.2 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.4 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+# Drop incoming ICMP Echo Request (ping) from External to LDAP (for all other machines in External subnet)
+iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.3 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j DROP
+
+# Drop incoming ICMP Echo Request (ping) from LDAP to External subnet
+iptables -A FORWARD -s 10.0.5.3 -d 10.0.2.0/24 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j DROP