From 9abb64944082db948d8fcd92cd05a35aeb14e25f Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Mon, 17 Jul 2023 15:27:26 +0100 Subject: [PATCH 1/3] Added firewall rules to allow outgoing ICMP ping traffic from Management subnet but block incoming ICMP PING traffic to Management subnet --- Central-router.startup | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Central-router.startup b/Central-router.startup index 094ee5f..5ecbefe 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -28,3 +28,19 @@ ip link set up dev eth5 # Gateway IP for Management-switch ip addr add 10.0.6.1/24 dev eth6 ip link set up dev eth6 + +# Firewall rules + +# Allow incoming ICMP Echo Request (ping) from Management subnet to all other subnets +iptables -A FORWARD -i eth6 -o eth1 -s 10.0.6.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j ACCEPT +iptables -A FORWARD -i eth6 -o eth2 -s 10.0.6.0/24 -d 10.0.2.0/24 -p icmp --icmp-type 8 -j ACCEPT +iptables -A FORWARD -i eth6 -o eth3 -s 10.0.6.0/24 -d 10.0.3.0/24 -p icmp --icmp-type 8 -j ACCEPT +iptables -A FORWARD -i eth6 -o eth4 -s 10.0.6.0/24 -d 10.0.4.0/24 -p icmp --icmp-type 8 -j ACCEPT +iptables -A FORWARD -i eth6 -o eth5 -s 10.0.6.0/24 -d 10.0.5.0/24 -p icmp --icmp-type 8 -j ACCEPT + +# Drop incoming ICMP Echo Request (ping) from all other subnets to Management subnet +iptables -A FORWARD -i eth1 -o eth6 -s 10.0.1.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth2 -o eth6 -s 10.0.2.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth3 -o eth6 -s 10.0.3.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth4 -o eth6 -s 10.0.4.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth5 -o eth6 -s 10.0.5.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP From 9f3c13b13f65f0398c4a26758069220e4160447c Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Wed, 19 Jul 2023 11:01:33 +0100 Subject: [PATCH 2/3] Added firewall rules so that DMZ subnet cannot send outgoing or recieve incoming packets to/from other subnets --- Central-router.startup | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/Central-router.startup b/Central-router.startup index 5ecbefe..641528f 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -31,8 +31,7 @@ ip link set up dev eth6 # Firewall rules -# Allow incoming ICMP Echo Request (ping) from Management subnet to all other subnets -iptables -A FORWARD -i eth6 -o eth1 -s 10.0.6.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j ACCEPT +# Allow outgoing ICMP Echo Request (ping) from Management subnet to all other subnets iptables -A FORWARD -i eth6 -o eth2 -s 10.0.6.0/24 -d 10.0.2.0/24 -p icmp --icmp-type 8 -j ACCEPT iptables -A FORWARD -i eth6 -o eth3 -s 10.0.6.0/24 -d 10.0.3.0/24 -p icmp --icmp-type 8 -j ACCEPT iptables -A FORWARD -i eth6 -o eth4 -s 10.0.6.0/24 -d 10.0.4.0/24 -p icmp --icmp-type 8 -j ACCEPT @@ -44,3 +43,17 @@ iptables -A FORWARD -i eth2 -o eth6 -s 10.0.2.0/24 -d 10.0.6.0/24 -p icmp --icmp iptables -A FORWARD -i eth3 -o eth6 -s 10.0.3.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP iptables -A FORWARD -i eth4 -o eth6 -s 10.0.4.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP iptables -A FORWARD -i eth5 -o eth6 -s 10.0.5.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP + +# Drop outgoing ICMP Echo Request (ping) from DMZ subnet to all other subnets +iptables -A FORWARD -i eth1 -o eth2 -s 10.0.1.0/24 -d 10.0.2.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth1 -o eth3 -s 10.0.1.0/24 -d 10.0.3.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth1 -o eth4 -s 10.0.1.0/24 -d 10.0.4.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth1 -o eth5 -s 10.0.1.0/24 -d 10.0.5.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth1 -o eth6 -s 10.0.1.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP + +# Drop incoming ICMP Echo Request (ping) from all other subnets to DMZ subnet +iptables -A FORWARD -i eth2 -o eth1 -s 10.0.2.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth3 -o eth1 -s 10.0.3.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth4 -o eth1 -s 10.0.4.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth5 -o eth1 -s 10.0.5.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP +iptables -A FORWARD -i eth6 -o eth1 -s 10.0.6.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP From c0c5a3c7403e8e35b1a34af3cdbb2992681a4024 Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Thu, 20 Jul 2023 15:05:18 +0100 Subject: [PATCH 3/3] Added firewall rules to reject outgoing and incoming packets between External subnet and LDAP --- Central-router.startup | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Central-router.startup b/Central-router.startup index 641528f..f8fba43 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -57,3 +57,13 @@ iptables -A FORWARD -i eth3 -o eth1 -s 10.0.3.0/24 -d 10.0.1.0/24 -p icmp --icmp iptables -A FORWARD -i eth4 -o eth1 -s 10.0.4.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP iptables -A FORWARD -i eth5 -o eth1 -s 10.0.5.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP iptables -A FORWARD -i eth6 -o eth1 -s 10.0.6.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP + +# Allow incoming ICMP Echo Request (ping) from External subnet to specific machines in Server subnet +iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.2 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.4 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT + +# Drop incoming ICMP Echo Request (ping) from External to LDAP (for all other machines in External subnet) +iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.3 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j DROP + +# Drop incoming ICMP Echo Request (ping) from LDAP to External subnet +iptables -A FORWARD -s 10.0.5.3 -d 10.0.2.0/24 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j DROP