From: "Antonio Paulo Salgado Forster" <aforster@br.ibm.com>
To: lartc@vger.kernel.org
Subject: [LARTC] Re: RFC1918 blocking and DNAT
Date: Wed, 11 Apr 2001 21:50:08 +0000 [thread overview]
Message-ID: <marc-lartc-98703746101976@msgid-missing> (raw)
Not much related to this, but is there any way to make CBQ match packets
with no firewall mark set (default) when using Firewall mark classifier?
Thanks!
Forster
"Alexander W . Janssen" <yalla@ynfonatic.de>@lists.samba.org on 11/04/2001
18:34:57
Please respond to "Alexander W . Janssen" <yalla@ynfonatic.de>
Sent by: netfilter-admin@lists.samba.org
To: Urs Thuermann <urs@isnogud.escape.de>
cc: Netfilter Mailinglist <netfilter@lists.samba.org>
Subject: Re: RFC1918 blocking and DNAT
Hello Urs,
On Sun, Apr 01, 2001 at 11:03:42AM +0200, Urs Thuermann wrote:
[...]
> iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j MARK --set-mark
1
> iptables -t mangle -A PREROUTING -d 10.0.0.0/8 -j MARK --set-mark
1
> iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j MARK --set-mark
1
> iptables -t mangle -A PREROUTING -d 172.16.0.0/12 -j MARK --set-mark
1
> iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j MARK --set-mark
1
> iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j MARK --set-mark
1
>
> iptables -A extin -m mark --mark 1 -j DROP
>
> Would this work? And is there another way to do it, using only the
> filter tables?
yes, this would work. Another way to restrict so called "martians"
(packets with source-ip equal to private assigend ones which come from
the internet) is setting the kernel-option "reverse path filtering" to
the value of 2 for your external interface. Example:
echo 2 > /proc/sys/net/ipv4/conf/ippp0
if ippp0 is your external interface.
Turning on these options drops all packets with obvisiously "bogus"
packets, that means: If you have a network 172.16.0.0/12 behind your
firewall, then no one with one of these IP's would be allowed to be
routed through your Linux-Box. You might want to read the "Advanced
Routing HOWTO", especially section 12.1 "Reverse Path Filtering"
(http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-12.html).
Anyway, but the best would be to block martian on the router. Just add
the crap to the DENY-list of the router. Possible at least on Cisco.
Call your provider if you can't administrate your router by yourself.
> BTW, the man page does not tell what the default value of a packets
> netfilter mark is when it is not changed in the mangle table. I
> assume this is 0, right?
There is no implicit mark, you allways have to give a --set-mark.
Cheers, Alex.
--
Join the Linuxbierwanderung 2001 !
25.8.2001 - 1.9.2001 in Bouillon, Belgium
Sign on today at http://lbw2001.ynfonatic.de/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
reply other threads:[~2001-04-11 21:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-98703746101976@msgid-missing \
--to=aforster@br.ibm.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.