Purpose of self-referential rule

Purpose of self-referential rule

[Kelly Setzer]

I've been experimenting with gShield trying to learn the ins and outs
of iptables.  One of the rules is generates is:

iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j ACCEPT

The source and dest are correct for my internal network, and eth1 is
the internal net.  My question is, when would the firewall ever see a
packet that could possible match this?  Any packet with a source and
destination on the same network would send the packet directly (no
routing, thus no firewall).

What am I missing?

thanks,
Kelly
--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)

Re: Purpose of self-referential rule

[Joel Newkirk]

On Monday 24 February 2003 11:06 am, Kelly Setzer wrote:
> I've been experimenting with gShield trying to learn the ins and outs
> of iptables.  One of the rules is generates is:
>
> iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j
> ACCEPT
>
> The source and dest are correct for my internal network, and eth1 is
> the internal net.  My question is, when would the firewall ever see a
> packet that could possible match this?  Any packet with a source and
> destination on the same network would send the packet directly (no
> routing, thus no firewall).
>
> What am I missing?

What's the IP of eth1?  This is the INPUT chain, so it's for traffic 
targeted at the firewall box itself.  Having a destIP listed with a /24 
is a little odd, though, unless you are DHCP assigned IP or some such 
where it won't know the IP when the rule is generated, or it may change.

j

> thanks,
> Kelly

Re: Purpose of self-referential rule

[Kelly Setzer]

On Wed, Feb 26, 2003 at 09:03:58AM -0500, Joel Newkirk wrote:
> On Monday 24 February 2003 11:06 am, Kelly Setzer wrote:
> > I've been experimenting with gShield trying to learn the ins and outs
> > of iptables.  One of the rules is generates is:
> >
> > iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j
> > ACCEPT
> >
> > The source and dest are correct for my internal network, and eth1 is
> > the internal net.  My question is, when would the firewall ever see a
> > packet that could possible match this?
> >
> 
> What's the IP of eth1?  This is the INPUT chain, so it's for traffic 
> targeted at the firewall box itself.  Having a destIP listed with a /24 
> is a little odd, though, unless you are DHCP assigned IP or some such 
> where it won't know the IP when the rule is generated, or it may change.

The eth1 interface has a statically assigned address of 192.168.6.1.
Another respondent mentioned that it's only use (as INPUT rule) would
be allow traffic directly to the firewall.  DHCP is used to assign
addresses to windows clients on this network.  In any case, it seems a
little weak to allow clients full access to the firewall - way too
open.

I suppose I should try removing the rule and seeing if anything
breaks.

thanks all,
Kelly

--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)

Re: Purpose of self-referential rule

[Alistair Tonner]

	Hi:

	This rule would only really be invoked when in a packet left a system on the
internal network headed for the firewall box itself (presumably the firewall 
has a valid network address on that segment.) -- however that rule is rather 
loose, since it supposes that it is accepting a destination of the entire 
segment, rather than for a specific IP on the firewall.  This might be valid 
if you had wireless lan tunnelling equipment that used the firewall as a 
router, and the rule was in the forward chain.   There was a discussion 
recently about controlling access to MS shares in a public wireless lan, but 
the solution was not in iptables, but in the wireless lan tunnelling 
software.
	
	What is the intent of the rule is perhaps the more appropriate question.
	This would be appropriate for certain envrionments, but not in most.



	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!	


On February 24, 2003 11:06 am, Kelly Setzer wrote:
> I've been experimenting with gShield trying to learn the ins and outs
> of iptables.  One of the rules is generates is:
>
> iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j ACCEPT
>
> The source and dest are correct for my internal network, and eth1 is
> the internal net.  My question is, when would the firewall ever see a
> packet that could possible match this?  Any packet with a source and
> destination on the same network would send the packet directly (no
> routing, thus no firewall).
>
> What am I missing?
>
> thanks,
> Kelly
> --
> Kelly Setzer, System Administrator/Architect - Placemark Investments
> 14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
> kelly.setzer@placemark.com  http://www.placemark.com
> (972)404-8100x41 (work)       (214) 287-3464 (cell)

-- 

Re: Purpose of self-referential rule

[Del Winiecki]

Kelly, typically you have a default route set on each machine on your
LAN, and that gateway address would be your linux router.
Yes, packets COULD be sent directly, but you'd have to reset the route
in your machine each time you wanted to point to a different machine.
So, the router IS routing all your traffic on the LAN in a normal setup.
So the line in iptables is useful. I use this kind of statement here
where I have 3 different companies sharing a fiber-optic line back to my
ISP. In your example, since its an INPUT statement, limits access to
machines on the 192.168.6.0/24 network assuming you have a DROP policy
for INPUT.

-Del

On Mon, 2003-02-24 at 09:06, Kelly Setzer wrote:
> I've been experimenting with gShield trying to learn the ins and outs
> of iptables.  One of the rules is generates is:
> 
> iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j ACCEPT
> 
> The source and dest are correct for my internal network, and eth1 is
> the internal net.  My question is, when would the firewall ever see a
> packet that could possible match this?  Any packet with a source and
> destination on the same network would send the packet directly (no
> routing, thus no firewall).
> 
> What am I missing?
> 
> thanks,
> Kelly
> --
> Kelly Setzer, System Administrator/Architect - Placemark Investments
> 14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
> kelly.setzer@placemark.com  http://www.placemark.com
> (972)404-8100x41 (work)       (214) 287-3464 (cell)