I've setup a combination firewall (iptables), router, DHCP and DNS device running Ubuntu x64 at the edge of the network. Everything's working as expected, but I'm looking to keep the number of firewall rules to a minimum as the edge device changes in profile over time, like when additional VLANs (VLAN=dedicated NIC, in this case) or services are added to it.
Suppose the following:
wan0
= Wide Area Network / Internet access
ens123
= Local Area Network / VLAN235
ens456
= Servers / VLAN245
ens789
= Lab / VLAN335
Currently, it's using INPUT rules similar to the following to allow internal machines to access its services:
# allow DNS from lan
-A INPUT -i ens123 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i ens123 -p udp -m udp --dport 53 -j ACCEPT
# allow DNS from servers
-A INPUT -i ens456 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i ens456 -p udp -m udp --dport 53 -j ACCEPT
# allow dns from lab
-A INPUT -i ens789 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i ens789 -p udp -m udp --dport 53 -j ACCEPT
From looking at the iptables documentation and examples online, it looks like using a bang (!
) should help by blacklisting only the WAN NIC, thus allowing everything else to connect to the edge from inside the various VLANs.
However, when I switch to using the following rule instead, machines from within a number of VLANs can't access DNS services running on the edge device anymore:
# allow DNS from not-wan
-A INPUT -i !wan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i !wan0 -p udp -m udp --dport 53 -j ACCEPT
- Am I overlooking some small problem with my new rules?
- If not, what's your opinion of a simple way to manage such a setup using iptables?
Because of the nature of this, simple lines + less lines = more better. Let me qualify that: I'd really prefer to not have to touch the firewall at all if multiple VLANs were suddenly added to the network/edge; or, to only need to add one or two rules for the port(s) if another service is added to the edge.