* eth1 answers SYN/ACK to SYNs dedicated for eth0. Why?
@ 2004-12-15 23:07 Stoycho Sleptsov
2004-12-15 23:38 ` Jason Opperisano
0 siblings, 1 reply; 2+ messages in thread
From: Stoycho Sleptsov @ 2004-12-15 23:07 UTC (permalink / raw)
To: netfilter
Hi.
I am new to iptables , so excuse me in advance for any strange
terminologies.
I have the following configuration:
an external IP assigned to eth0.
192.168.0.1 assigned to eth1.
ip_forward set to 1.
sshd waiting on 22.
iptables:
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A INPUT -i lo ACCEPT
-A FORWARD -i lo ACCEPT
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
*nat
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to ext.ern.ip
COMMIT
... and suddenly external people are receiving the ssh login (sometimes, not
always).
after several loggings I saw that SYN on 22 to ext.ern.ip is accepted and
answered by eth1.
and after is translated and accepted as ESTABLISHED by eth0 in the filter
part of iptables.
is this normal?
For now I found some workaround in the nat:
-A PREROUTING -d ext.ern.ip -s ! 192.168.0.0/24 -i eth1 -m state --state
NEW -j DROP
but maybe I have to do something completely different to even not receive
this strange effect?
Thanks alot,
Stoycho
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: eth1 answers SYN/ACK to SYNs dedicated for eth0. Why?
2004-12-15 23:07 eth1 answers SYN/ACK to SYNs dedicated for eth0. Why? Stoycho Sleptsov
@ 2004-12-15 23:38 ` Jason Opperisano
0 siblings, 0 replies; 2+ messages in thread
From: Jason Opperisano @ 2004-12-15 23:38 UTC (permalink / raw)
To: netfilter
On Wed, 2004-12-15 at 18:07, Stoycho Sleptsov wrote:
> Hi.
>
> I am new to iptables , so excuse me in advance for any strange
> terminologies.
>
> I have the following configuration:
> an external IP assigned to eth0.
> 192.168.0.1 assigned to eth1.
> ip_forward set to 1.
> sshd waiting on 22.
>
> iptables:
>
> *filter
> :INPUT DROP
> :FORWARD DROP
> :OUTPUT ACCEPT
>
> -A INPUT -i eth1 -j ACCEPT
change that to:
-A INPUT -i eth1 -d $ip_of_eth1 -j ACCEPT
and packets that arrive on eth1 destined for eth0's IP address won't be
accepted anymore.
-j
--
"I saw weird stuff in that place last night. Weird, strange, sick,
twisted, eerie, godless, evil stuff. And I want in."
--The Simpsons
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-12-15 23:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-15 23:07 eth1 answers SYN/ACK to SYNs dedicated for eth0. Why? Stoycho Sleptsov
2004-12-15 23:38 ` Jason Opperisano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox