Re: problem with iptables - wrong rules?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Luca Ferrari escribió:

On Wednesday 14 July 2004 09:36 Miguel González Castaños's cat walking on the keyboard wrote:



Hi,

I am not sure what is your network architecture but i assume this:

You have a LAN connected (lets call it LAN1) to the Internet through
the linux firewall (192.168.1.7). This firewall acts also as a router
being connected to the 192.168.1.8 router which is connected to
different LANs.

With the DROP rule you are blocking packets destined to 192.168.1.8 and
come from anywhere (in this case Internet and LAN1).

I assume when you say have NATTED the connection, you have NATTED
connections from LAN1 to the Internet and maybe connections from the
other LANs, am I wrong ? (maybe you should give us a picture or more
details of what you have in your NAT rules). If so, then LAN1 and the
other LANs are routed and not natted among them.

Then, you should block destination to network 192.168.2.0, 192.168.4.0,
etc...
.html



I believe you're right, since I've natted only packets from/to the internet and not another lan. Anyway, is there a way using iptables to intercepts packets that are going to the 192.168.1.8 router? I'd like to log those packets, but I believe that iptables acts before the kernel routing table, thus it is not easy to intercept those packets.
Any idea?

Thanks,
Luca



you can try using a sniffer in your firewall such as ethereal or somethink like that and you could see the packets. Anyway, I suppose packets coming from LAN1 to the other LANs will have in the destination IP an IP like 192.168.2.x 192.168.4.x , so you have to block packets that match this criteria. Something like this (i am writting these rules roughly to give you the idea) :



$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.2.0 -s 192.168.1.0 -j DROP
$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.4.0 -s 192.168.1.0 -j DROP

I do not know (since i dont know how you are natting) if these rules could block the packets coming from internet to 192.168.2.x, etc...Anyway your setup is a bit weird...Wouldnt be more easy to block these packets in the router for the LANs instead of doing that in the firewall? Why dont you set a different range of IPs for LAN1? I bet it would be much easier...

HTH

Miguel




-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux