From: Michael Davidson <michael@bbd.co.za>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Fwd: Inbound and outbound traffic problem
Date: Wed, 21 Dec 2005 15:22:45 +0000 [thread overview]
Message-ID: <43A97345.8060309@bbd.co.za> (raw)
In-Reply-To: <1b47fd660512200515x4d9fed51h5b9eb194d10dbf69@mail.gmail.com>
hi,
Damn!!! yes I forgot to mention this. This is to do with "anti
spoofing". In Redhat distro's it is switched on by default.
A brief simplistic explanation:
A packet is routed to your machine based on the destination address
(obvious), the source address isn't checked along the the route, and
you could put anything in there. The final delivery to a computer is
based on the MAC of the interface card, the interface card doesn't even
understand IP let alone do any address checking. This means that someone
could send you malicious packet(s) with a source IP address that is in
the range used on your internal LAN, in other words a friendly address.
This then is the "spoof"
The anti-spoofing mechanism checks the source address of the packets and
the interface it arrived on and reconciles that against the IP subnet
that is associated with that interface. If there there is a mis-match
the packet is discarded. For example: if your internal LAN is using
10.7.1.0/24 on eth1 then a packet arriving on eth0 with a source
address in that range will be discarded.
This next bit is a guess because I have not read it anywhere: The
anti-spoofing mechanism also does not allow you to transmit packets out
of an interface with destination addresses that are not appropiate for
that LAN. The exception of course is the interface which is seen as the
route to the "default gateway" as listed in the "main" routing table.
You can now see why you need to remove the anti-spoofing mechanism from
the second Internet interface. Just declaring a second "default gateway"
in another routing table does not change things.
Now that that automatic protection has been removed from the second
Internet interface you should put some rules in your iptables to compensate.
Finally if you think that by hiding behind a FW doing NAT no one out
there on the internet can see your internal addresses then you would be
wrong. Apart from other applications your Internet browser tells the
world what IP address your PC is using.
Regards Mike.
Janis Daniel Bistevins wrote:
> Thanks Michael for your answer!
> I finally did it in a way simillar as you described. Marking pakets
> and using nat. BUT everything start working great when I found a
> little detail:
>
> echo "0" > /proc/sys/net/ipv4/conf/eth1
> /rp_filter
> echo "0" > /proc/sys/net/ipv4/conf/eth2/rp_filter
>
> Without this, things were confused.
>
> Where this come from? I found this trick in a HowTo from a Spain site:
>
> http://bulma.net/body.phtml?nIdNoticia\x1615
>
> Nowhere else!
> So, what I did, is a common mistake? Is this assumed by default in
> every configuration and because of this, there is no comments about
> this in any other tutorial or howto?
>
> Anyway, ones again Mike, thank you!!
>
> Best regards
>
> J.D.Bistevins
>
>
> On 12/20/05, *Michael Davidson* <michael@bbd.co.za
> <mailto:michael@bbd.co.za>> wrote:
>
> Hi,
> There is another way to do this, but I doubt that it is anymore
> elegant than what you have right now. I have just completed this same
> task and I can say that if I could have used your method - overlaying
> another subnet -I would have done so since it's a cleaner solution
> in my
> view.
>
> I used iptables to "mark" the packets of the flows that where
> generated
> by the server ( WWW).
> I created a second routing table with it's own default route.
> I created an "ip rule" which looks for a "mark" on the packets and
> directs those packets to the new routing table.
>
> Keep in mind, for this to work correctly you need to be using NAT or
> Masquerade on at least one of your ISP ports.
>
> Regards Mike
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
--
Regards Mike.
Michael Davidson
Barone Budge & Dominick
Email: michael@bbd.co.za
Office: +27 11 532 8380
BB&D : +27 11 532 8300
Fax: +27 11 532 8400
Mobile: +27 82 650 5707
Home: +27 11 452 4423
This e-mail is confidential and subject to the disclaimer published at
http://www.bbd.co.za
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2005-12-21 15:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-20 13:15 [LARTC] Fwd: Inbound and outbound traffic problem Janis Daniel Bistevins
2005-12-20 18:37 ` Michael Davidson
2005-12-21 11:56 ` Janis Daniel Bistevins
2005-12-21 15:22 ` Michael Davidson [this message]
2005-12-21 18:34 ` Jody Shumaker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43A97345.8060309@bbd.co.za \
--to=michael@bbd.co.za \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.