[SOLVED] Linux NAT firewall

Hey,

So, I have LXC container that acts like a router and it’s configuration looks like this:

eth0 - WAN
eth1 - LAN1
eth2 - LAN2
[…]

It’s configured to act as a NAT for every LAN network.
And for obvious reasons - whatever is connected to eth1 can talk to whatever is connected to eth2.

Any solutions to this problem?
I’d like to prevent possibility of connecting to things connected to eth1 from eth2 and vice versa.

You could use a firewall (iptables) to drop the specific traffic:

iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth2 -o eth1 -j DROP
1 Like

With my Linux firewalls I drop by default and then whitelist.

Usually I’d iptables-save, modify it, then iptables-restore.

Don’t forget to punch holes for DHCP, and for ICMP for path MTU discovery (you’re going to have a bad time without pmtud working - pretty much anything hosted on Amazon gets all screwy depending on what version of which os you’re using on the client side).

If I’d do this by @cburn11way do I still have to? (my guess is no).

Up to you, the difference is what literally only in what happens when interfaces get created that are not covered by firewall