I have two physical LANs: 192.168.10.* on eth1 and 192.168.20.* on eth2. Both are configured to use gateway web proxy. I want all traffic blocked between these two LANs. I have tried various custom firewall rules and, though they appear to block pings and traffic on some other ports, they do not block HTTP traffic between the two LANs. As an example, from a browser on an eth1 device I can access web pages on a eth2 device. My guess is that the actual routing as seen by IP Tables on the clearos server for HTTP requests is from the eth1 device to the clearos web proxy with a completely separate request from the web proxy to the eth2 device, thus rendering my IP Table rules irrelevant. Here are the current custom firewall rules I am currently using though I have tried many variations found in the forums with the same results:
iptables -I FORWARD -i eth2 -o eth1 -j REJECT
iptables -I FORWARD -i eth1 -o eth2 -j REJECT
When the rules are enabled I can see that ping requests are blocked between the LANs (destination port unreachable) but HTTP requests are not.
But with the rules enabled and web proxy stopped, even HTTP traffic between the LANs is blocked (as expected).
So... What is the proper method of blocking HTTP traffic between two physical LANs behind clearos when both are using web proxy?
I do not want to use HotLAN as both LANs require proxy services.