I have a iptables capable router with a static route from 192.0.3.0 to 192.0.0.0
my problem is SMB file sharing traffic is leaking on to our 192.0.0.0 and causing congestion. I only have one printer IP address that needs to talk over 192.0.0.0
Can I use iptables to block traffic from all ip address from sending traffic over 192.0.0.0 except that one printer?
in short i need 192.0.3.102 to be the ONLY device that can talk to 192.0.0.10. NOTE: the iptables enabled router is on the 192.0.3.0 network.
That's odd. It usually doesn't make sense to route SMB traffic at all. Do the computers believe they're all on one big subnet? That'd be more like bridging.
Anyway. I can't guarantee this is correct, being I rarely use iptables directly, but I think I have the right idea: Explicitly allow traffic to/from your printer's IP, then explicitly deny everything else. The first rule will match your printer traffic, the rest won't and will go to the next rule which will drop it.
# Assuming your printer's IP is 192.0.3.1
# Accept 0.0 -> printer traffic
iptables -A forward --source 192.0.0.0/24 --destination 192.0.3.1 -j ACCEPT
# Accept printer -> 0.0 traffic
iptables -A forward --source 192.0.3.1 --destination 192.0.0.0/255.255.255.0 -j ACCEPT
# Reject everything 0.0 -> 3.0
iptables -A forward --source 192.0.0.0/24 --destination 192.0.3.0/255.255.255.0 -j DROP
# Reject everything 3.0 -> 0.0
iptables -A forward --source 192.0.3.0/24 --destination 192.0.0.0/24 -j DROP
Mostly, because it's easier to hook up a keyboard and monitor to a computer if you firewall yourself out. Though I'm sure I'm preaching to the choir there.
Also because it changes your environment quite a bit. I suppose you've got a full iptables, but nearly everything else is a feature-reduced version of what you'd get on a PC.
We have dual homed servers. 1 home is 192.0.10.0 (main home LAN) other home is 192.0.0.0 (WAN). We have the 192.0.0.0 (WAN) so our servers can talk over WAN to our other location (192.0.3.0). It is a Frame Relay connection. We have serial network printers in the other location (192.0.3.0) but the server (that people work on and send print jobs from) is at the main location (192.0.0.0).
NOW the other location. It's LAN is 192.0.3.0. It still needs to talk to 192.0.0.0 (WAN) to connect to the unix server (off site) and so the unix server can send print jobs to the (on site) printers. THUS, 192.0.3.0 (other home LAN) must communicate with 192.0.0.0 (WAN) but it only needs to for those printing purposes. I could let the clients ssh over internet for the terminal sessions.
in short:
main site ------------------------------------------other site
LAN1 (192.0.10.0) ------ WAN (192.0.0.0) -------- LAN2 (192.0.3.0)
server here -------------------------------------------printer here
The issue that caught my eye is this:
192.0.3.0 (LAN) router has static route to 192.0.0.0 frame (WAN)
I just installed a NAS on the 192.0.3.0 LAN. I mapped a share from the NAS to a network drive on a pc. I started a image backup from some backup software we use (EaseUS Todo) to image the pc drive to the NAS share. Job running fine. Frame starts dropping print jobs. Frame drops hella pings. I log back in to the pc that is being backed up and KILL the backup. INSTA presto Frame (WAN) (192.0.0.0) comes back up and starts working fine again.
my conclusion:
I need to stop all traffic except essential from possibly leaking onto WAN frame (192.0.0.0) from 192.0.3.0 OR 192.0.10.0
AND by the way,
should this let me block all traffic except when from ports 9100,22,23?:
(following ip tables to be put in the 192.0.3.0 LAN router)
What those rules do greatly depends on your existing firewall setup. That's another reason it's good to know that you're using a wireless router: It means you probably already have a fairly complicated pre-packaged firewall setup that neither of us know much about. It might be better to use their system than craft raw rules yourself if posssible.
What's this -I OUTPUT 4? Why not just append rules at the same time as the firewall's being made instead of inserting later?
Well it goes DSL modem---Wireless router/LAN (static route from 192.0.3.0 to 192.0.0.0)
There is NAT at the modem and the router has some ports forwarded. There is no other hardware/software firewall.
Wireless router tells 192.0.3.0 how to get to 192.0.0.0. All I want to do is put some restrictions on the traffic that goes over that static route.
Dont I need to use -I OUTPUT for traffic leaving the router? Maybe I'm confused ... The WAN port on router is connected to dsl modem. The LAN ports on the router go to the switch to the 192.0.0.0 gateway device...
-I inserts rules at the beginning. Why not -A? The difference could be important, especially with my present near-total ignorance of your current firewall. Depending on your firewall rules it's entirely possible that neither will work, and the rules have to be put in the appropriate place in your firewall instead of appended or prepended...
And for traffic to leave the router, it must also enter the router, yes? I think INPUT is more appropriate.
Have you tried the syntax as I actually gave them to you? I guess you can't use -dports, but otherwise...
Knowing your current firewall setup would be useful too...