From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Matthew Simpson <matthew@txlink.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: using iptables to route between public networks
Date: Tue, 23 Dec 2003 05:53:41 -0500 [thread overview]
Message-ID: <1072176819.2184.245.camel@grendel> (raw)
In-Reply-To: <00ca01c3c90d$8aafa2f0$6600a8c0@KARI>
On Mon, 2003-12-22 at 23:30, Matthew Simpson wrote:
>
> I have two ethernet cards in this box. One card has a public IP going to my
> internet provider [255.255.255.252 subnet]. The other card also has a
> public IP that is routed to me by my Internet provider [255.255.255.240
> subnet].
<snip>
> My first question, however... if I do a traceroute to a box connected behind
> the router, the "router" interface IP address does not show up in the
> traceroute. It skips directly from my internet provider's gateway address
> to the final destination address. Why?
If everything is configured correctly it should, although most people
would consider this a "feature" as they deny inbound trace attempts.
If it does actually skip from your provider to the internal address,
there are a couple of possibilities:
1) The Linux box is in bridging mode
2) Your subnet address space overlaps
If in between your provider's IP and the internal system is a line that
shows three *'s or three characters preceded by a exclamation point, the
Linux box is filtering this traffic. Possibilities:
1) An OUTBOUND iptables filter rule
2) A sysctl setting has been changed
> Second question, it's not a good idea to blindly forward all packets is it?
Absolutely not. The whole purpose of a firewall is to let through only
what you understand and expect to receive.
> I tried to set up an append rule to the FORWARD chain to drop all packets
> that did not have a destination of $myiprange/28, but iptables seems to
> ignore the rule
Can we see the exact syntax of the rule that you entered?
> [it doesn't work and it doesn't show up in an iptables -L]
> Unless forwarding all packets is okay, what should I do to fix this?
You probably already know this, so maybe its just a language thing, but
there is a whole lot more you want to block besides packets not headed
to you internal IP address space. Think about what services you actually
have a need for letting people access from the Internet (mail server,
Web server, etc.) and block access to everything else. There is a whole
lot more you can do, but this will get you started in the right
direction.
HTH,
C
next prev parent reply other threads:[~2003-12-23 10:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-23 4:30 using iptables to route between public networks Matthew Simpson
2003-12-23 10:53 ` Chris Brenton [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-12-23 9:09 Antony Stone
2003-12-23 15:32 Matthew Simpson
2003-12-23 15:42 ` Antony Stone
2003-12-23 17:16 ` Chris Brenton
2003-12-23 17:24 Matthew Simpson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1072176819.2184.245.camel@grendel \
--to=cbrenton@chrisbrenton.org \
--cc=matthew@txlink.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.