ip forwarding rules

lvfranz · ‎03-10-2021

I have configured vTM with ip forwarding and ip transparency and act as a default gateway for all real server.

All real server on different vlan can reach internet through vTM that act as a router.

Reverse side of this is that all vlan can reach all other vlan.

It's possibile to manage a routing policy?

Ex. eth0 external interface

eth1 internal interface with Vlan 10 and Vlan 20 defined

Vlan10 --> eth0 pass

Vlan20 --> eth0 pass

Vlan10 --> Vlan20 block

Vlan20 --> Vlan 10 block

eth0 --> Vlan 10 pass

eth0 --> Vlan 20 pass

All that with iptables can be done easy as

iptables -A FORWARD -i Vlan20 -o Vlan10 -j DROP

iptables -A FORWARD -i Vlan10 -o Vlan20 -j DROP

ldarby · ‎03-23-2021

Hi lvfranz,

If you're using the Virtual Appliance, and if you have a support contract then you could raise an RFE for this functionality.

Note that vTM already has a similar feature, if NAT is enabled then it adds these iptables rules:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 
0 0 ACCEPT all -- * ens4 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- ens3 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 5 prefix "NAT forbidden: "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

If you're using the software version of vTM instead, then this doesn't manage iptables rules (except for the ip transparency rules), that's up to the admin, so you could have any iptables setup with that.

Regards,

Laurence

Pulse Secure vADC Support (Acquired by Ivanti)

ip forwarding rules

ip forwarding rules

Re: ip forwarding rules