From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?Miguel_Gonz=E1lez_Casta=F1os?= Subject: Re: problem with iptables - wrong rules? Date: Wed, 14 Jul 2004 11:33:08 +0200 Sender: linux-admin-owner@vger.kernel.org Message-ID: <40F4FDD4.2040807@tid.es> References: <200407131850.55496.fluca1978@virgilio.it> <40F4E278.7040108@tid.es> <200407141013.43424.fluca1978@virgilio.it> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-reply-to: <200407141013.43424.fluca1978@virgilio.it> List-Id: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: fluca1978@virgilio.it, linux-admin@vger.kernel.org Luca Ferrari escribi=F3: >On Wednesday 14 July 2004 09:36 Miguel Gonz=E1lez Casta=F1os's cat wal= king on the=20 >keyboard wrote: > > =20 > >>Hi, >> >> I am not sure what is your network architecture but i assume this: >> >> You have a LAN connected (lets call it LAN1) to the Internet through >>the linux firewall (192.168.1.7). This firewall acts also as a router >>being connected to the 192.168.1.8 router which is connected to >>different LANs. >> >> With the DROP rule you are blocking packets destined to 192.168.1.8 = and >>come from anywhere (in this case Internet and LAN1). >> >> I assume when you say have NATTED the connection, you have NATTED >>connections from LAN1 to the Internet and maybe connections from the >>other LANs, am I wrong ? (maybe you should give us a picture or more >>details of what you have in your NAT rules). If so, then LAN1 and the >>other LANs are routed and not natted among them. >> >> Then, you should block destination to network 192.168.2.0, 192.168.4= =2E0, >>etc... >>.html >> =20 >> > >I believe you're right, since I've natted only packets from/to the int= ernet=20 >and not another lan. Anyway, is there a way using iptables to intercep= ts=20 >packets that are going to the 192.168.1.8 router? I'd like to log thos= e=20 >packets, but I believe that iptables acts before the kernel routing ta= ble,=20 >thus it is not easy to intercept those packets. >Any idea? > >Thanks, >Luca > > =20 > you can try using a sniffer in your firewall such as ethereal or=20 somethink like that and you could see the packets. Anyway, I suppose=20 packets coming from LAN1 to the other LANs will have in the destination= =20 IP an IP like 192.168.2.x 192.168.4.x , so you have to block packets=20 that match this criteria. Something like this (i am writting these rule= s=20 roughly to give you the idea) : =20 $IPTABLES -A OUTPUT -o $INTIF -d 192.168.2.0 -s 192.168.1.0 -j DROP $IPTABLES -A OUTPUT -o $INTIF -d 192.168.4.0 -s 192.168.1.0 -j DROP I do not know (since i dont know how you are natting) if these rules co= uld block the packets coming from internet to 192.168.2.x, etc...Anyway= your setup is a bit weird...Wouldnt be more easy to block these packet= s in the router for the LANs instead of doing that in the firewall? Why= dont you set a different range of IPs for LAN1? I bet it would be much= easier... HTH Miguel =20 - To unsubscribe from this list: send the line "unsubscribe linux-admin" = in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html