FW: Filtering multiple networks

FW: Filtering multiple networks

[Markus Zeilinger]

Hi Frank,

thx for you prompt answer! Two questions on your comments:

- Thy is DROP bad here? As I see REJECT would send an error message back to
the source, but this would not make any sense on packets coming on the WAN
interface with private IP addresses, or am I wrong?

- Why is INPUT not appropriated here? Should I do the dropping earlier
perhaps in the mangle table?

And yes I will do something similiar in the FORWARD chain :-)

Thx again!

Cheers,
Markus

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Frank Gruellich
Sent: Monday, May 31, 2004 12:08 PM
To: netfilter
Subject: Re: Filtering multiple networks

* Markus Zeilinger <mz@sea.uni-linz.ac.at> 31. May 04:
> Hi all,

Hello,

> sorry if this is a stupid question, I am just a newbie with iptables.

Okay.

> Now I would like to drop

Drop is considered to be bad.  Maybe you should prefer REJECT.

> all packets coming on the Internet interface on the firewall with
> source address out of the private IP address ranges (10.0.0.0/8,
> 192.168.0.0/16, 172.16.0.0/12 and 169.254.0.0/16).

You have to split it.

> I use the following syntax in my script:
> 
> ...
> WAN_IFACE="eth0"
> PRIV_IP="10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,169.254.0.0/16"

PRIV_IP="10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16"

> iptables -A INPUT -i $WAN_IFACE -s $PRIV_IP -j DROP

Well, INPUT isn't very appropriated, but:

for ip in $PRIV_IP; do iptables -A INPUT -i $WAN_IFACE -s $ip -j DROP; done

Maybe you should have something like this in your FORWARD, too.

HTH,
 regards, Frank.
-- 
Sigmentation fault

Re: FW: Filtering multiple networks

[David Cannings]

On Monday 31 May 2004 11:32, Markus Zeilinger wrote:
> - Thy is DROP bad here? As I see REJECT would send an error message
> back to the source, but this would not make any sense on packets coming
> on the WAN interface with private IP addresses, or am I wrong?

You are not wrong.  Personally I would DROP any bogons coming in on a WAN 
interface.  REJECT does not make sense in this case, if they are 
unallocated or hijacked blocks the replies will not make it anyway.  If 
they are RFC1918 addresses that you are using internally, the replies 
would be sent to your LAN which would not be desirable.

David

Re: FW: Filtering multiple networks

[Frank Gruellich]

* Markus Zeilinger <mz@sea.uni-linz.ac.at> 31. May 04:
> Hi Frank,

Hello,

> thx for you prompt answer!

No problem.  Thanks for not top posting you next reply.  Thanks for not
mangeling threading by setting a Reference: header with a real
mailreader.

> - Thy is DROP bad here? As I see REJECT would send an error message back to
> the source, but this would not make any sense on packets coming on the WAN
> interface with private IP addresses, or am I wrong?

It would be kinda polite to point the sender of the packets to his
misconfigured box.  REJECT is like yelling 'Hey, you are wrong!'
DROPping is like closing your eyes to somebodys problem.  Anyway, it's
you decision right here.

> - Why is INPUT not appropriated here? Should I do the dropping earlier
> perhaps in the mangle table?

Forget it, everything fine.  I saw a -d for a -s.  BTW: never filter
anything in mangle.

HTH,
 regards, Frank.
-- 
Sigmentation fault

Re: FW: Filtering multiple networks

[David Cannings]

On Monday 31 May 2004 10:45, Frank Gruellich wrote:
> * Markus Zeilinger <mz@sea.uni-linz.ac.at> 31. May 04:
> > - Thy is DROP bad here? As I see REJECT would send an error message
> > back to the source, but this would not make any sense on packets
> > coming on the WAN interface with private IP addresses, or am I wrong?
> It would be kinda polite to point the sender of the packets to his
> misconfigured box.  REJECT is like yelling 'Hey, you are wrong!'
> DROPping is like closing your eyes to somebodys problem.  Anyway, it's
> you decision right here.

Can you please explain how a TCP RST or ICMP message is supposed to get 
back to a spoofed RFC 1918 (or otherwise reserved) address?  Sending 
replies of any sort out of a WAN interface onto the Internet to a 
reserved or private address is very bad practice.  Some would even argue 
that sending to unallocated space is bad.  If border routers don't drop 
such packets, your firewall most certainly should.

David

Re: FW: Filtering multiple networks

[Frank Gruellich]

* David Cannings <lists@edeca.net> 31. May 04:
> On Monday 31 May 2004 10:45, Frank Gruellich wrote:
> > * Markus Zeilinger <mz@sea.uni-linz.ac.at> 31. May 04:
> > > - Thy is DROP bad here? As I see REJECT would send an error message
> > > back to the source, but this would not make any sense on packets
> > > coming on the WAN interface with private IP addresses, or am I wrong?
> > [misconfigured box]
> Can you please explain how a TCP RST or ICMP message is supposed to get 
> back to a spoofed RFC 1918 (or otherwise reserved) address?

What makes you think the address is spoofed?  I assumed somebody just
configured its external interface wrong.  Some antique idea, that not
all people are bad guys.

> Sending replies of any sort out of a WAN interface onto the Internet
> to a reserved or private address is very bad practice.

Yes, okay, you are right.  Sorry, a reflex, when I see -j DROP.

> Some would even argue that sending to unallocated space is bad.

What do you mean with unallocated space?

Thank you,
 regards, Frank.
-- 
Sigmentation fault

Re: FW: Filtering multiple networks

[David Cannings]

On Monday 31 May 2004 19:23, Frank Gruellich wrote:
> * David Cannings <lists@edeca.net> 31. May 04:
> > On Monday 31 May 2004 10:45, Frank Gruellich wrote:
> > Can you please explain how a TCP RST or ICMP message is supposed to
> > get back to a spoofed RFC 1918 (or otherwise reserved) address?
> What makes you think the address is spoofed?  I assumed somebody just
> configured its external interface wrong.  Some antique idea, that not
> all people are bad guys.

Nowadays many core routers will drop packets that appear to come from 
addresses that either haven't been allocated or shouldn't be seen on the 
wider Internet, therefore if packets have got as far as you something is 
awry.  RFC 1918 and RFC 3330 are both good references, then 
http://www.iana.org/ipaddress/ip-addresses.htm.

> > Sending replies of any sort out of a WAN interface onto the Internet
> > to a reserved or private address is very bad practice.
> Yes, okay, you are right.  Sorry, a reflex, when I see -j DROP.

Personally I don't know what to think on the REJECT vs DROP debate, so I 
sit on the fence.  Like everything else, each has advantages and 
disadvantages.

> > Some would even argue that sending to unallocated space is bad.
> What do you mean with unallocated space?

IP blocks that have not been allocated by IANA or one of the regional 
authorities (RIRs).  This conversation is likely to go way off topic for 
this list so instead I'll provide the following URL: 
http://www.cymru.com/Bogons/

David