Page 1 of 1

Help with 2 ISPs

Posted: Thu Aug 14, 2008 3:11 pm
by Commodore
Hello,
please help for configuration with two Internet providers.
I want to restrict access from both the providers.
while I was with only one supplier, it became easier with "chain=input action=accept in-interface=!ether1"
but now even when added the same rule for other provider - there's no effect.
i try with "chain=input action=accept in-interface=ether2" for all networks that i want to have access, but rules of SSH applications began to go crazy.

this is my Filters
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid

 1   ;;; Allow esatblished connections
     chain=input action=accept connection-state=established

 2   ;;; Allow related connections
     chain=input action=accept connection-state=related

 3 X ;;; Allow UDP
     chain=input action=accept protocol=udp

 4   ;;; Allow ICMP
     chain=input action=accept protocol=icmp

 5 X ;;; Allow connection to router from local network
     chain=input action=accept in-interface=ether2

 6 X ;;; Allow connection to router from local network
     chain=input action=accept in-interface=pptp-in_name

 7 X ;;; Allow connection to router from local network
     chain=input action=accept in-interface=!ether1

 8   ;;; Allow connection to router from local network
     chain=input action=accept in-interface=!pppoe-out_isp

 9   ;;; dropping port scanners
     chain=input action=drop src-address-list=port_scanners

10   ;;; Port scanners to list
     chain=input action=add-src-to-address-list psd=21,3s,3,1 address-list=port_scanners address-list-timeout=2w protocol=tcp

11   ;;; NMAP FIN Stealth scan
     chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg address-list=port_scanners address-list-timeout=2w protocol=tcp

12   ;;; SYN/FIN scan
     chain=input action=add-src-to-address-list tcp-flags=fin,syn address-list=port_scanners address-list-timeout=2w protocol=tcp

13   ;;; SYN/RST scan
     chain=input action=add-src-to-address-list tcp-flags=syn,rst address-list=port_scanners address-list-timeout=2w protocol=tcp

14   ;;; FIN/PSH/URG scan
     chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack address-list=port_scanners address-list-timeout=2w protocol=tcp

15   ;;; ALL/ALL scan
     chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg address-list=port_scanners address-list-timeout=2w protocol=tcp

16   ;;; NMAP NULL scan
     chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg address-list=port_scanners address-list-timeout=2w protocol=tcp

17   ;;; Drop SSH brute forcers
     chain=input action=drop src-address-list=ssh_blacklist dst-port=22 protocol=tcp

18   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=4w2d
     dst-port=22 protocol=tcp

19   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=2>
     protocol=tcp

20   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=2>
     protocol=tcp

21   chain=input action=add-src-to-address-list connection-state=new address-list=ssh_stage1 address-list-timeout=1m dst-port=22 protocol=tcp

22   ;;; Drop FTP brute forcers
     chain=input action=drop src-address-list=ssh_blacklist dst-port=21 protocol=tcp

23   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=4w2d
     dst-port=21 protocol=tcp

24   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=2>
     protocol=tcp

25   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=2>
     protocol=tcp

26   chain=input action=add-src-to-address-list connection-state=new address-list=ssh_stage1 address-list-timeout=1m dst-port=21 protocol=tcp

27   ;;; Worm Protection
     chain=input action=drop dst-port=135,137,138,139,445 protocol=tcp

28   chain=input action=drop dst-port=135,137,138,139,445 protocol=udp

29   chain=forward action=drop dst-port=135,137,138,139,445 protocol=tcp

30   chain=forward action=drop dst-port=135,137,138,139,445 protocol=udp

31   ;;; Drop Blacklist
     chain=input action=drop src-address-list=ssh_blacklist

32   ;;; Allow SSH to router
     chain=input action=accept dst-port=22 protocol=tcp

33 I ;;; Allow HTTPS to router
     chain=input action=accept in-interface=ether1 dst-port=443 protocol=tcp

34 X ;;; Allow HTTP to router
     chain=input action=accept in-interface=ether1 dst-port=80 protocol=tcp

35 X ;;; Allow FTP to router
     chain=input action=accept in-interface=ether1 dst-port=21 protocol=tcp

36   ;;; Allow TCP 81 to router
     chain=input action=accept dst-port=81 protocol=tcp

37 X ;;; Allow OpenVPN
     chain=input action=accept in-interface=ether1 dst-port=1194 protocol=tcp

38 X chain=input action=accept in-interface=ether1 dst-port=1194 protocol=udp

39 I ;;; Allow PPTP
     chain=input action=accept in-interface=ether1 dst-port=1723 protocol=tcp

40 X chain=input action=accept in-interface=ether1 dst-port=1723 protocol=udp

41 X ;;; Allow Dude to router
     chain=input action=accept in-interface=ether1 dst-port=2211 protocol=tcp

42 I ;;; Allow DNS request
     chain=input action=accept in-interface=ether1 dst-port=53 protocol=udp

43   ;;; Drop everything else
     chain=input action=drop

44 I chain=forward action=jump jump-target=customer in-interface=ether1

45   ;;; Drop unwanted sites
     chain=forward action=drop src-address-list=blocked dst-address-list=block dst-port=80 protocol=tcp

46 X ;;; limit access for some users
     chain=forward action=drop src-address=192.168.0.1-192.168.0.10 dst-port=!80 protocol=tcp

47   ;;; Drop invalid connection packets
     chain=customer action=drop connection-state=invalid

48   ;;; Allow established connections
     chain=customer action=accept connection-state=established

49   ;;; Allow related connections
     chain=customer action=accept connection-state=related

50   ;;; Log dropped connections
     chain=customer action=log log-prefix="customer_drop"

51 I ;;; Allow TCP 80 for forward
     chain=customer action=accept in-interface=ether1 dst-port=80 protocol=tcp

52 I ;;; Allow TCP 21 for forward
     chain=customer action=accept in-interface=ether1 dst-port=21 protocol=tcp

53 I ;;; Allow TCP 901 for forward
     chain=customer action=accept in-interface=ether1 dst-port=901 protocol=tcp

54 I ;;; Allow UDP 27015 for forward
     chain=customer action=accept in-interface=ether1 dst-port=27015 protocol=udp

55 X ;;; Allow TCP 25 for forward
     chain=customer action=accept dst-port=995 protocol=tcp

56   ;;; Drop and log everything else
     chain=customer action=drop
thanks

Re: Help with 2 ISPs

Posted: Thu Aug 14, 2008 3:19 pm
by tgrand
Try using a drop rule instead of an accept.
Drop connections to router coming in from ether1 and another rule for the interface connecting to the other provider.