35 lines
1.3 KiB
Bash
Executable File
35 lines
1.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# vlan_firewall.sh - Configure firewall rules for VLAN isolation
|
|
# This script sets up basic firewall rules for TP-Link router or iptables-based systems
|
|
|
|
set -euo pipefail
|
|
|
|
echo "Configuring VLAN firewall rules..."
|
|
|
|
# VLAN 10: Management (192.168.10.0/24)
|
|
# VLAN 20: Services (192.168.20.0/24)
|
|
# VLAN 1: Default LAN (192.168.1.0/24)
|
|
|
|
# Allow management VLAN to access all networks
|
|
sudo iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT
|
|
|
|
# Allow services VLAN to access default LAN on specific ports only
|
|
# Port 53 (DNS), 80 (HTTP), 443 (HTTPS), 9000 (Portainer), 8080 (Traefik)
|
|
sudo iptables -A FORWARD -s 192.168.20.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 53,80,443,9000,8080 -j ACCEPT
|
|
sudo iptables -A FORWARD -s 192.168.20.0/24 -d 192.168.1.0/24 -p udp --dport 53 -j ACCEPT
|
|
|
|
# Block all other traffic from services VLAN to default LAN
|
|
sudo iptables -A FORWARD -s 192.168.20.0/24 -d 192.168.1.0/24 -j DROP
|
|
|
|
# Allow default LAN to access services VLAN
|
|
sudo iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.20.0/24 -j ACCEPT
|
|
|
|
# Allow established connections
|
|
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
echo "Saving iptables rules..."
|
|
sudo iptables-save | sudo tee /etc/iptables/rules.v4
|
|
|
|
echo "VLAN firewall rules configured."
|
|
echo "Note: For TP-Link router, configure ACLs via web UI using similar logic."
|