Steven Haigh wrote:
On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
Christopher Chan wrote:
I spent much of the past 24 hours trying to find out how to set up
iptables for firewall routing WITHOUT NATing. Could not find anything.
Eh? You just need to enable ip forwarding to enable routing. After
that, it is put up the firewall rules as is necessary, build the
appropriate routing tables on the firewall box and the boxes on the
intranet(s).
iptables does not handle routing.
No, but iptables controls what is allowed to route,
I think this is where you are getting confused and causing yourself
issues. iptables has ZERO effect on what is allowed to route. It is a
simple YES or NO as to if it should be allowed to pass or be filtered.
I have been tested as having a significant language usage problem, and
am working on it. 'what is allowed to route', was a poor choice of
wording. What you wrote above is much closer to what I wanted to say.
ip src/dest is used for routing decisions by the kernel. The IP state
machine (check the RFC or any decent TCP/IP textbook) is really quite
simple. But iptables sticks its nose into the center of that state
machine and can mangle addresses to change how packets flow through the
machine, or just simplely yank packets right out of the machine with a
simple NO (drop).
So in my mind's eye of the IP state machine (my MSU CPS 410 prof was
death on state machines; turn in a perfectly executing assignment
without one and there went half your grade. See HIP for its state
machine) is dictated by iptables as to what it is allowed to route.
Those little words, "put up the firewall rules as necessary" are
equivalent to "and magic happens here."
It's actually not magical at all... Work with the mindset of "I want
to allow X, Y, and Z, then deny everything else". This translates
easily into iptables rules -j ACCEPT and then your last rule (or
policy) should be a deny/drop/reject.
That is exactly what I tried to do. I just used the wrong bit of pixie
dust (during some of the 'heated' IPsec meeting debates one fellow would
try to sneak up a speaker 'that just did not get it' and sprinkle some
glitter on them. He had labeled his tube of glitter as 'security pixie
dust').
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos