On Thu, Oct 27, 2016 at 01:36:23PM +0200, Pol Hallen wrote:
> Hello all :-)
>
> I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:
>
> iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24 -j
> ACCEPT
>
> and same rules for 192.168.2/24: this allow each lan see other lan.
>
> Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
> lan1 see lan2?
It depends on what you mean by "see".
Do you mean 192.168.1/24 should be able to start connections to
192.168.2/24 and receive replies, but not the reverse?
If so, you want:
# .1 can send anything anywhere
-A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
# .2 can send back answers to .1
-A FORWARD -s 192.168.2/24 -d 192.168.1/24 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# .2 is not allowed to establish new sessions to .1
-A FORWARD -s 192.168.2.24 -d 192.168.1/24 \
-m state --state NEW -j DROP
# .1 can receive anything else
-A FORWARD -d 192.168.1/24 -d 0/0 -j ACCEPT
-dsr-
