ClearFoundation

I currently have 3 Lans


eth1 (192.168.0.0/24)
eth2 (192.168.1.0/24)
eth3 (192.168.2.0/24)

eth1 can access eth2 and eth3
eth2 can only access eth3
eth3 can only access the net

Is this possible using iptables?
I am having trouble getting it working.


I tried the following last:

iptables -I FORWARD -i eth1 -o eth2 -j ALLOW
iptables -I FORWARD -i eth1 -o eth3 -j ALLOW
iptables -I FORWARD -i eth2 -o eth1 -j DROP
iptables -I FORWARD -i eth3 -o eth2 -j DROP
iptables -I FORWARD -i eth3 -o eth1 -j DROP

I did a packet sniff with wireshark and it shows the packets make it from eth1 --> eth2 or eth3 but when it goes back the other way it is dropped at the firewall.
What am I missing?

Thanks

You need to allow related and established packets back. There is a generic rule there already but your DROP rules are being inserted before it so the packets get dropped. You cant really use the default rules either as these allow traffic between all the LAN's. You also need to think of the order the rules are being applied. As you have used -I on its own for each rule they are added one by one to the top of your rules so the drop rules end up above the allow rules. Try something like:

Thank you, I will give that a try this weekend and see if I can get it working.