Basic firewall rules for interfaces

A Former User

Thanks for the responses. I added the block rule on NET2 and per @SteveITS added rule #3:

But with that block rule #1, I don't have WAN acces (or LAN which is good). I can ping 192.168.2.1 no problem but can't ping 8.8.8.8 or google.com

SteveITS

@bumzag In the order shown, the third rule will never trigger because the second rule has already allowed the traffic. (they process in order, with an implicit deny all at the end)

On NET2, are devices set to use the NET2 interface IP as their DNS?

A Former User

@steveits said in Basic firewall rules for interfaces:

@bumzag In the order shown, the third rule will never trigger because the second rule has already allowed the traffic. (they process in order, with an implicit deny all at the end)

On NET2, are devices set to use the NET2 interface IP as their DNS?

On a NET2 device with debian 11, I changed /etc/resolv.conf to 192.168.2.1 and rebooted, still no WAN access.

SteveITS

@bumzag Is the gateway 192.168.2.1 also? I misread your post that you cannot ping 8.8.8.8 so it's not (only) a DNS problem. Try a traceroute there to see how far you get.

You have traffic matching the any:any rule ("1/13 KiB").

A Former User

@steveits yes sorry I edited it without realizing you commented. This is my /etc/network/interfaces file on a NET2 device

iface ens18 inet static
   address 192.168.2.2
   netmask 255.255.255.0
   gateway 192.168.2.1
   dns-nameservers 192.168.2.1

traceroute 8.8.8.8 gets me

1 192.168.2.2 (192.168.2.2) 3062.489ms !H 3062.423 ms !H 3062.401 ms !H

SteveITS

@bumzag https://networkengineering.stackexchange.com/questions/16454/difference-between-unresponsive-and-unreachable-h-hosts-in-traceroute-out

So not a DNS issue. Routing table on the PC?

A Former User

@steveits

sorry got distracted. if I add a rule to allow NET2 to LAN, devices on NET2 have no problem reaching WAN. I'm guessing there's a gateway issue with the NET2 interface?

SteveITS

@bumzag I believe that rule allows Net2 to any…I think you want more like

Block net2 net to lan net
Allow net2 net to any

A Former User

@steveits

im sorry but can you eli5? I don't understand, why would I add a block all rule to the LAN interface from NET2 but then add an allow all rule on the LAN interface from NET2? thanks for helping btw

Jarhead

@bumzag said in Basic firewall rules for interfaces:

I want LAN to have access to every interface indiscriminately, and NET2 to have WAN access, but no LAN access.

The block comes before the allow so LAN would be blocked