Making hosts accessible between LAN subnets

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by nixnotwin on Server Fault See other posts from Server Fault or by nixnotwin
Published on 2011-02-09T03:47:31Z Indexed on 2011/02/10 7:27 UTC
Read the original article Hit count: 469

Filed under:
|
|
|

I have two inerfaces on my router with tomato firmwre: br0 and vlan4. br0 is on 192.168.0.0/16 subnet and vlan4 on 10.0.1.0/24 subnet. As I don't want the different network services on br0 available on vlan4, I have added this firewall rule:

iptables -I INPUT -i vlan4 -j ACCEPT;
iptables -I FORWARD -i vlan4 -o vlan2 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan4 -j DROP;

vlan2 is my WAN (internet acess).

The issue that I want to solve is that I want to make one host from 192.168.0.0/16 network (br0), which has ip 192.168.0.50, available on vlan4 (10.0.1.0/24). Only that host should be available on vlan4 (and all other hosts on br0 should be inaccessible). What firewall rules can be used to do it?

Edit 1:

Output of iptables -nvL FORWARD:

Chain FORWARD (policy DROP 4 packets, 204 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  vlan4  192.168.0.50  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  vlan4  ppp0    0.0.0.0/0            0.0.0.0/0           state NEW 
  229 13483 ACCEPT     all  --  vlan4  vlan2   0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 DROP       all  --  br0    vlan3   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  vlan3  ppp0    0.0.0.0/0            0.0.0.0/0           state NEW 
   67  3405 ACCEPT     all  --  vlan3  vlan2   0.0.0.0/0            0.0.0.0/0           state NEW    
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
   34  1360 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
  758 40580 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
11781 2111K restrict   all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           
26837   19M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
  287 15927 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           
  283 15723 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0

Output of iptables -t nat -nvL PREROUTING:

Chain PREROUTING (policy ACCEPT 6887 packets, 526K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  855 83626 WANPREROUTING  all  --  *      *       0.0.0.0/0            222.228.137.223     
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.0.0/16      
    0     0 DNAT       udp  --  *      *       192.168.0.0/16      !192.168.0.0/16      udp dpt:53 to:192.168.0.1

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about networking

Related posts about lan

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle