All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Re: RFC1918 blocking and DNAT
@ 2001-04-11 21:50 Antonio Paulo Salgado Forster
  0 siblings, 0 replies; only message in thread
From: Antonio Paulo Salgado Forster @ 2001-04-11 21:50 UTC (permalink / raw)
  To: lartc


Not much related to this, but is there any way to make CBQ match packets
with no firewall mark set (default) when using Firewall mark classifier?

Thanks!

Forster




"Alexander W . Janssen" <yalla@ynfonatic.de>@lists.samba.org on 11/04/2001
18:34:57

Please respond to "Alexander W . Janssen" <yalla@ynfonatic.de>

Sent by:  netfilter-admin@lists.samba.org


To:   Urs Thuermann <urs@isnogud.escape.de>
cc:   Netfilter Mailinglist <netfilter@lists.samba.org>
Subject:  Re: RFC1918 blocking and DNAT



Hello Urs,

On Sun, Apr 01, 2001 at 11:03:42AM +0200, Urs Thuermann wrote:
[...]
>     iptables -t mangle -A PREROUTING -s 10.0.0.0/8     -j MARK --set-mark
1
>     iptables -t mangle -A PREROUTING -d 10.0.0.0/8     -j MARK --set-mark
1
>     iptables -t mangle -A PREROUTING -s 172.16.0.0/12  -j MARK --set-mark
1
>     iptables -t mangle -A PREROUTING -d 172.16.0.0/12  -j MARK --set-mark
1
>     iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j MARK --set-mark
1
>     iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j MARK --set-mark
1
>
>     iptables -A extin -m mark --mark 1 -j DROP
>
> Would this work?  And is there another way to do it, using only the
> filter tables?

yes, this would work. Another way to restrict so called "martians"
(packets with source-ip equal to private assigend ones which come from
the internet) is setting the kernel-option "reverse path filtering" to
the value of 2 for your external interface. Example:

   echo 2 > /proc/sys/net/ipv4/conf/ippp0

   if ippp0 is your external interface.

Turning on these options drops all packets with obvisiously "bogus"
packets, that means: If you have a network 172.16.0.0/12 behind your
firewall, then no one with one of these IP's would be allowed to be
routed through your Linux-Box. You might want to read the "Advanced
Routing HOWTO", especially section 12.1 "Reverse Path Filtering"
(http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-12.html).

Anyway, but the best would be to block martian on the router. Just add
the crap to the DENY-list of the router. Possible at least on Cisco.
Call your provider if you can't administrate your router by yourself.

> BTW, the man page does not tell what the default value of a packets
> netfilter mark is when it is not changed in the mangle table.  I
> assume this is 0, right?

There is no implicit mark, you allways have to give a --set-mark.

Cheers, Alex.


--
     Join the Linuxbierwanderung 2001 !
  25.8.2001 - 1.9.2001 in Bouillon, Belgium
Sign on today at http://lbw2001.ynfonatic.de/





_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2001-04-11 21:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-04-11 21:50 [LARTC] Re: RFC1918 blocking and DNAT Antonio Paulo Salgado Forster

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.