I have 2 networks like this :
Site A :
- Subnet 10.1.1.0/24
- Multiple machines on this subnet.
- 3 Servers on ip nodes : .1,.2,.3
- A GRE box that mount a tunnel to Site B on ip node : .20
- A CPE on ip node .254
Site B :
- Subnet 10.2.1.0/24
- Multiple machines on this subnet.
- A GRE box that mount a tunnel to Site A on ip node : .20
- A CPE on node ip .254
Between them Internet.
No issue with GRE tunnel, It mount without any issue.
GRE "A" has a tunnel interface on 10.10.10.1 and GRE "B" has a tunnel interface on 10.10.10.2
All machines on each sides of the tunnel can communicate.
I would like to allow only the three servers of side A to communicate with PCs of site B.
I made this configuration on GRE machine on site A, but I have no skill on iptables so it does not work as I would like :
With this config,no traffic is blocked between sites, so any machine is able to contact any one elses. The only thing that is blocked is the direct access to the GRE box from a machine on Site A.Code:-A INPUT -s 10.1.1.1/32 -i ens160 -j ACCEPT -A INPUT -s 10.1.1.2/32 -i ens160 -j ACCEPT -A INPUT -s 10.1.1.3/32 -i ens160 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/28 -i ens160 -p gre -j ACCEPT ### xxx.xxx.xxx.xxx is Site B Pub IP -A INPUT -i ens160 -p gre -j DROP -A INPUT -i ens160 -j DROP
For instance : PC with ip 10.1.1.5 is able to contact any one site B whereas it should not.
Many thanks by advance to anyone that could lead me to a solution.
Bookmarks