How to deny private net accessing each other by private net ip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

I have following firewall setup
eth0  internet (1.1.x.x, 1.2.x.x, 1.3.x.x)
eth1  private lan 10.1.x.x snat/dnat 1.1.x.x.x
eth2  private lan 10.2.x.x snat/dnat 1.2.x.x.x
eth3  private lan 10.3.x.x snat/dnat 1.3.x.x.x

I am trying to restrict machines on ethA from accessing machines on ethB (A = 1,2,3, B=1,2,3)
by its reserved IP (10.B.x.x) and only allow access by its public (1.B.x.x) IP.

I can do it using PREROUTING chain in nat/mangle
  iptable -t nat    -A PREROUTING -i eth2 -d 10.0.0.0/8 -j DROP # or 
  iptable -t mangle -A PREROUTING -i eth2 -d 10.0.0.0/8 -j DROP

but I read a tutorial (from www.netfilter.org) saying not to do any filtering in nat/mangle tables because not all packages traverse these tables. (http://iptables-tutorial.frozentux.net/)

I cannot do it in FORWARD chain because by the time packet reaches FORWARD chain
in may have already been already DNAT-ed (I cannot tell if it was w/o marking it in mangle/nat tables)

That is in the FORWARD chain I cannot distinguish between packets 
- from eth1 d=10.2.x.x 
- from eth1 d=1.2.x.x (in FORWARD chain this packet will have d=10.2.x.x set by DNAT target)

If I need to mark package in mangle, and later drop in in FORWARD then why not drop it right in the mangle table ?
But that would be filtering in nat/mangle tables which is suppose to be a no no.

I would appreciate any help/advice

thanks
Bog



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux