Am I overlooking some small problem with my new rules?.A INPUT -i !wan0 -p udp -m udp -dport 53 -j ACCEPT A INPUT -i !wan0 -p tcp -m tcp -dport 53 -j ACCEPT However, when I switch to using the following rule instead, machines from within a number of VLANs can't access DNS services running on the edge device anymore: # allow DNS from not-wan A INPUT -i ens789 -p udp -m udp -dport 53 -j ACCEPTįrom looking at the iptables documentation and examples online, it looks like using a bang ( !) should help by blacklisting only the WAN NIC, thus allowing everything else to connect to the edge from inside the various VLANs.
A INPUT -i ens789 -p tcp -m tcp -dport 53 -j ACCEPT A INPUT -i ens456 -p udp -m udp -dport 53 -j ACCEPT A INPUT -i ens456 -p tcp -m tcp -dport 53 -j ACCEPT A INPUT -i ens123 -p udp -m udp -dport 53 -j ACCEPT A INPUT -i ens123 -p tcp -m tcp -dport 53 -j ACCEPT
Wan0 = Wide Area Network / Internet accessĬurrently, it's using INPUT rules similar to the following to allow internal machines to access its services: # allow DNS from lan Everything's working as expected, but I'm looking to keep the number of firewall rules to a minimum as the edge device changes in profile over time, like when additional VLANs (VLAN=dedicated NIC, in this case) or services are added to it. I've setup a combination firewall (iptables), router, DHCP and DNS device running Ubuntu 圆4 at the edge of the network.
0 kommentar(er)
