Re: help with netmap.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2006-02-08 at 08:35 -0500, Stephen Beck wrote:
> I have several dorm firewalls with nearly 250 users behind each.
> I nat the inside ip's using netmap. this has been up and running for
> 6 months and for the inside users its working fine. for the most part
> I dont want connections orginating from the outside and netmap seems
> to be perventing this. However I now have an application that needs to
> be able to orginate a stream from the outside to any inside
> ip( CopySense ).
> 
> ime really not shure:
> if netmap alone should block incomming connections ?
> how to go about allowing them?
> 
> from what i see the folling is a start:
> existing netmap lines on one router:
> 
> Chain POSTROUTING (policy ACCEPT 6 packets, 300 bytes)
>  362 20370 NETMAP     all  --  *      *       10.0.20.0/24
> 0.0.0.0/0           205.133.141.0/24
>    75  4208 NETMAP     all  --  *      *       10.0.21.0/25
> 0.0.0.0/0           205.133.140.0/25
>   223 10925 NETMAP     all  --  *      *       10.0.22.0/25
> 0.0.0.0/0           205.133.140.128/25
> 
> to allow the outside connection for my laptop this works:
> 
> Chain PREROUTING (policy ACCEPT 1620 packets, 92093 bytes)
> target     prot opt in     out     source
> destination
> DNAT       all  --  *      *       0.0.0.0/0
> 205.133.141.42      to:10.0.20.42
> 
> ile tighten up that rule once i get it working ;-)
> 
> however I neet to allow that rule to work for all 255 ip's
> and i cant seem to get the syntax right ???
> 
> 
> Stephen Beck, Marietta College, 740-376-4366
> 
You've hit upon an important distinction -- the nat table does not
handle access control.  That will be handled by your filter table and,
in this case, the FORWARD chain.

I would suggest a FORWARD policy of DROP and only allow outbound traffic
and inbound from the specific socket you want to allow.

If you need more information on using nat and filter, Oskar Andreasson
has a great tutorial at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html and there
are some slightly dated training slide shows in the training section of
the ISCS network security management project at
http://iscs.sourceforge.net.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux