From 9f3c13b13f65f0398c4a26758069220e4160447c Mon Sep 17 00:00:00 2001
From: Preetham Ananthkumar <preetham.mervin@gmail.com>
Date: Wed, 19 Jul 2023 11:01:33 +0100
Subject: [PATCH] Added firewall rules so that DMZ subnet cannot send outgoing
 or recieve incoming packets to/from other subnets

---
 Central-router.startup | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/Central-router.startup b/Central-router.startup
index 5ecbefe..641528f 100755
--- a/Central-router.startup
+++ b/Central-router.startup
@@ -31,8 +31,7 @@ ip link set up dev eth6
 
 # Firewall rules
 
-# Allow incoming ICMP Echo Request (ping) from Management subnet to all other subnets
-iptables -A FORWARD -i eth6 -o eth1 -s 10.0.6.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j ACCEPT
+# Allow outgoing ICMP Echo Request (ping) from Management subnet to all other subnets
 iptables -A FORWARD -i eth6 -o eth2 -s 10.0.6.0/24 -d 10.0.2.0/24 -p icmp --icmp-type 8 -j ACCEPT
 iptables -A FORWARD -i eth6 -o eth3 -s 10.0.6.0/24 -d 10.0.3.0/24 -p icmp --icmp-type 8 -j ACCEPT
 iptables -A FORWARD -i eth6 -o eth4 -s 10.0.6.0/24 -d 10.0.4.0/24 -p icmp --icmp-type 8 -j ACCEPT
@@ -44,3 +43,17 @@ iptables -A FORWARD -i eth2 -o eth6 -s 10.0.2.0/24 -d 10.0.6.0/24 -p icmp --icmp
 iptables -A FORWARD -i eth3 -o eth6 -s 10.0.3.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
 iptables -A FORWARD -i eth4 -o eth6 -s 10.0.4.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
 iptables -A FORWARD -i eth5 -o eth6 -s 10.0.5.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+
+# Drop outgoing ICMP Echo Request (ping) from DMZ subnet to all other subnets
+iptables -A FORWARD -i eth1 -o eth2 -s 10.0.1.0/24 -d 10.0.2.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth3 -s 10.0.1.0/24 -d 10.0.3.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth4 -s 10.0.1.0/24 -d 10.0.4.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth5 -s 10.0.1.0/24 -d 10.0.5.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth1 -o eth6 -s 10.0.1.0/24 -d 10.0.6.0/24 -p icmp --icmp-type 8 -j DROP
+
+# Drop incoming ICMP Echo Request (ping) from all other subnets to DMZ subnet
+iptables -A FORWARD -i eth2 -o eth1 -s 10.0.2.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth3 -o eth1 -s 10.0.3.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth4 -o eth1 -s 10.0.4.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth5 -o eth1 -s 10.0.5.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP
+iptables -A FORWARD -i eth6 -o eth1 -s 10.0.6.0/24 -d 10.0.1.0/24 -p icmp --icmp-type 8 -j DROP