You have three questions in one. Given that I don't have the full configuration, I'm giving simple commands that might work, or might have to be adapted to your configuration
Self explanatory: packets from source 10.0.2.0/24 can never cross to 10.0.1.0/24.
how to still allow access to untrusted LAN from secure LAN?
iptables -I FORWARD -s 10.0.2.0/24 -d 10.0.1.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -s 10.0.1.0/24 -d 10.0.2.0/24 -j ACCEPT
Note the use of -I
to have those commands placed before the command in the first question's answer, and the 2
to keep the usual order. The second command isn't required, it's here to give the intent and it depends on your configuration if you need it or not. The first command allows answer packets from untrusted to come back to trusted, by querying the conntrack facility of netfilter. This would work between the two LANs only for connections previously initiated from trusted to untrusted. Usually this first command is written globally once (without using -s
and -d
restricting it to those two LANs).
- how to prevent access of untrusted hosts from other untrusted hosts in the same LAN?
While the two first questions can be handled with a router, working at layer 3: IP, the last question can't be solved that easily: hosts are not routed (ie at layer 3) between themselves in their LAN, they share a layer 2 equipment such as a switch, and tools working at this level have to be used. iptables
working at layer 3 couldn't be used alone. The corresponding isolation implementation is called Private VLAN. This feature is usually implemented directly on network equipments.
If the same was done on a standard Linux server, it would require a high number of network interfaces to work like a switch (managing virtual environment makes it easier, since the interfaces become free to add). The firewalling at layer 2 for this is done using ebtables
. Here are some Q/A on this topic:
https://unix.stackexchange.com/questions/12026/private-vlans-under-linux
https://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges
If the Linux server had a limited number of ports, thus not itself acting as the switch, it would require a way to receive all traffic from the untrusted LAN and have some tag on each packet to identify its source, probably requiring an abnormally high number of VLANs and anyway specific configuration on network equipments.