iptables firewall+NAT client visibility

Question

Context

I have two networks, trusted: 10.0.1.0/24 and untrusted: 10.0.2.0/24, with a pretty standard setup that does the following:

• NAT/masq
• guests on both networks can connect to the internet
• guests on both networks can connect to the services (dns, dhcp) on the firewall

Currently, all the guests on both networks can see other guests in their own network.

Problem

What rule can prevent clients in the untrusted network to see each other or clients on the trusted network?

E.g. 0.0.2.12 should not see 10.0.2.13 or 10.0.1.11.

Clients on the trusted network should see each other and untrusted clients (this works now).

Answer 1

You have three questions in one. Given that I don't have the full configuration, I'm giving simple commands that might work, or might have to be adapted to your configuration

• how to prevent access to secure LAN from untrusted LAN?

  iptables -A FORWARD -s  10.0.2.0/24 -d 10.0.1.0/24 -j DROP
  

Self explanatory: packets from source 10.0.2.0/24 can never cross to 10.0.1.0/24.

• how to still allow access to untrusted LAN from secure LAN?

  iptables -I FORWARD -s  10.0.2.0/24 -d 10.0.1.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -I FORWARD 2 -s 10.0.1.0/24 -d 10.0.2.0/24 -j ACCEPT
  

Note the use of -I to have those commands placed before the command in the first question's answer, and the 2 to keep the usual order. The second command isn't required, it's here to give the intent and it depends on your configuration if you need it or not. The first command allows answer packets from untrusted to come back to trusted, by querying the conntrack facility of netfilter. This would work between the two LANs only for connections previously initiated from trusted to untrusted. Usually this first command is written globally once (without using -s and -d restricting it to those two LANs).

• how to prevent access of untrusted hosts from other untrusted hosts in the same LAN?

While the two first questions can be handled with a router, working at layer 3: IP, the last question can't be solved that easily: hosts are not routed (ie at layer 3) between themselves in their LAN, they share a layer 2 equipment such as a switch, and tools working at this level have to be used. iptables working at layer 3 couldn't be used alone. The corresponding isolation implementation is called Private VLAN. This feature is usually implemented directly on network equipments.

If the same was done on a standard Linux server, it would require a high number of network interfaces to work like a switch (managing virtual environment makes it easier, since the interfaces become free to add). The firewalling at layer 2 for this is done using ebtables. Here are some Q/A on this topic: https://unix.stackexchange.com/questions/12026/private-vlans-under-linux https://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges

If the Linux server had a limited number of ports, thus not itself acting as the switch, it would require a way to receive all traffic from the untrusted LAN and have some tag on each packet to identify its source, probably requiring an abnormally high number of VLANs and anyway specific configuration on network equipments.