On Thu, Apr 01, 2004 at 10:25:06AM +0200, Bo Jacobsen wrote: > I use DNAT to redirect traffic from the external lan eth0 (192.168.1.1) to a > specific host (192.168.10.10) on the internal lan (eth1) like this: > > iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.1.1 -j DNAT > --to 192.168.10.10 -i eth0 > > and then I allow the redirected traffic: > iptables -a FORWARD -p tcp --dport 80 -d 192.168.10.10 ........ > > It works as expected but with this aproach, it's actually possible from the outside > to find out what internal ip, the http server is located at !. > All one has to do is sending to 192.168.10.1, 192.168.10.2, 192.168.10.3 etc. (to > eth0 on the outside) until one hits the server. The rules allows it. The 192.168.0.0/24 is a non internet routeable address, meaning all ISP drop this address range. Pretty sure you might be able to capture this in prerouting (mangle) and drop it there, although your not meant to drop/filter table also if you have rp_filter on (for the internet interface) it would probably capture it first before it hits netfilter > > I have not been able to figure out how to solve this problem. > > > Any suggestions. > > Thanks in advance > Bo Jacobsen > > > >
Attachment:
signature.asc
Description: Digital signature
