Public IP Confusion

All of lore.kernel.org
 help / color / mirror / Atom feed

* Public IP Confusion
@ 2004-11-17 21:52 Todd L
  2004-11-17 22:13 ` Josh Nerius
  2004-11-17 22:19 ` Samuel Jean
  0 siblings, 2 replies; 3+ messages in thread
From: Todd L @ 2004-11-17 21:52 UTC (permalink / raw)
  To: netfilter

Hi everyone,

This is my first post to this list. 

I am fairly new to netfilter and iptables and I wanted to do the
following setup to protect a class C network from the occasional IP
Fragment, SYN and similar DDOS attacks.

My ISP has a router which is .1 on the network and my gateway for the
machines on the class C. The ISP gives me an ethernet handoff which
goes into my switch and my server are plugged into that switch with
gateway of 1 and netmask of 255.255.255.0.

 I would like to place a linux box using iptables in between the
switch and the ISP ethernet handoff to block attackers IP addresses.

What I though I could do is have ISP ethernet to  Eth0 on linux box.
Eth1 on linux box to switch and then somehow make the linux box
transparent to the network. From what I have read it almost seems like
I need a mix of SNAT and NAT but I am unsure on how to proceed. I have
read a lot of the documentation and HOWTOs  and I have not found any
examples of this type of a scenario.

Any Advice?

Thank you,

Todd

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Public IP Confusion
  2004-11-17 21:52 Public IP Confusion Todd L
@ 2004-11-17 22:13 ` Josh Nerius
  2004-11-17 22:19 ` Samuel Jean
  1 sibling, 0 replies; 3+ messages in thread
From: Josh Nerius @ 2004-11-17 22:13 UTC (permalink / raw)
  To: Todd L; +Cc: netfilter

Hello Todd, 

It sounds like what you need is something like a transparent bridge on
which you can do filtering.

I've utilized a similar setup for testing purposes and found it to be
quite functional.

Linux has this capability by using the bridging code built into most
2.6 kernels and usable in 2.4 kernels by patching (though most newer
2.4 kernels have this already)

Once in place, you can then use iptables to control traffic passing
through the bridge and this is completely transparent...no NAT, not
network reconfiguration etc etc.

Here are two helpful links that should get you started. 

http://www.securityfocus.com/infocus/1737 -- be sure to check out the
"relevant links" at the bottom of the page.
http://www.lartc.org -- this one has quite a bit of information that
may or may not apply to your situation specifically but you'll likely
find this site very useful.

Good luck!

Josh Nerius


On Wed, 17 Nov 2004 16:52:24 -0500, Todd L <00todd@gmail.com> wrote:
> Hi everyone,
> 
> This is my first post to this list.
> 
> I am fairly new to netfilter and iptables and I wanted to do the
> following setup to protect a class C network from the occasional IP
> Fragment, SYN and similar DDOS attacks.
> 
> My ISP has a router which is .1 on the network and my gateway for the
> machines on the class C. The ISP gives me an ethernet handoff which
> goes into my switch and my server are plugged into that switch with
> gateway of 1 and netmask of 255.255.255.0.
> 
>  I would like to place a linux box using iptables in between the
> switch and the ISP ethernet handoff to block attackers IP addresses.
> 
> What I though I could do is have ISP ethernet to  Eth0 on linux box.
> Eth1 on linux box to switch and then somehow make the linux box
> transparent to the network. From what I have read it almost seems like
> I need a mix of SNAT and NAT but I am unsure on how to proceed. I have
> read a lot of the documentation and HOWTOs  and I have not found any
> examples of this type of a scenario.
> 
> Any Advice?
> 
> Thank you,
> 
> Todd
> 
> 


-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Public IP Confusion
  2004-11-17 21:52 Public IP Confusion Todd L
  2004-11-17 22:13 ` Josh Nerius
@ 2004-11-17 22:19 ` Samuel Jean
  1 sibling, 0 replies; 3+ messages in thread
From: Samuel Jean @ 2004-11-17 22:19 UTC (permalink / raw)
  To: Todd L; +Cc: netfilter

Todd L wrote:

>What I though I could do is have ISP ethernet to  Eth0 on linux box.
>Eth1 on linux box to switch and then somehow make the linux box
>transparent to the network. From what I have read it almost seems like
>I need a mix of SNAT and NAT but I am unsure on how to proceed. I have
>read a lot of the documentation and HOWTOs  and I have not found any
>examples of this type of a scenario.
>
>Any Advice?
>
>  
>
The ebtables project is exactly for doing some transparent filtering.
Just set up a bridge between your ISP and your network depending
on your Internet connection type.
(ex.: you wouldn't be able to filter PPPoE stream yet.)

For more information :

http://ebtables.sourceforge.net/

*note:* bridging filtering is part of the linux 2.6 series
             there's a patch for 2.4


>Thank you,
>
>Todd
>
>  
>
HTH,

Samuel


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-11-17 22:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-17 21:52 Public IP Confusion Todd L
2004-11-17 22:13 ` Josh Nerius
2004-11-17 22:19 ` Samuel Jean

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.