Prevent routing between two network segments

[rfulgado]

Hi everybody,

I have a Debian Wheezy with three network interfaces:
eth0 has the public facing ip address.
eth1 is our local LAN. (network: 192.168.2.0/24)
eth2 only has one device directly connected to it, a Wireless Access Point (network: 192.168.100.0/24)

The wireless access point is for our guests. They can use it to access the internet (which is working)
but should not be able to access any machines inside our LAN (not working, 192.168.100.0 clients
can access 192.168.2.0)

I tried iptables rule:
iptables -A INPUT -i eth2 -s 192.168.100.0/24 -d 192.168.2.0/24 -j DROP

Thanks

[ralph.ronnquist]

You should have that rule in the FORWARD chain rather, or as well. The INPUT chain applies to input packets to the machine itself only.

My favourite illustrations of this are http://jensd.be/wp-content/uploads/iptables_chains.png and http://www.linuxjournal.com/files/linux ... 0822f1.png. Search iptables-chains.png images for more.

[rfulgado]

OK... thanks for the advice. I will try it. And let you know how it went.

[rfulgado]

Hi Ralph,

These rules did the trick:
iptables -A OUTPUT -s 192.168.100.0/24 -d 192.168.2.0/24 -j DROP
iptables -A INPUT -i eth2 -s 192.168.100.0/24 -d 192.168.2.0/24 -j DROP
iptables -A FORWARD -i eth2 -s 192.168.100.0/24 -d 192.168.2.0/24 -j DROP


Thanks so much for your help.