Blocking direct private IP address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
I am experiencing an unusual problem relating to a DNAT causing a private IP address to become accessible from the public network and I am hoping for advice on how to avoid this problem. 

The set up (slightly simplified to avoid clutter) is:

One external/public interface (eth0) on the firewall/router - IP 10.0.0.1/24
One internal/private interface (eth1) on the firewall/router - IP 192.168.0.1/24 
A Web server on the internal/private network - IP 192.168.0.99

If I add this rule to the nat:PREROUTING chain...
iptables -t nat -A PREROUTING -d 10.0.0.1 -j DNAT --to-destination 192.168.0.99
...traffic addressed to the firewall/router at 10.0.0.1 has the destination IP address changed to 192.168.0.99 as expected and that traffic is forwarded to the Web server. 

So far so good.  Now, here's the bad part.
If I set up a host on the external/public network with a static route that causes it to send traffic addressed to 192.168.0.0/24 to the 10.0.0.1 external/public IP address of the firewall/router and then attempt to access the Web server using 192.168.0.99 as the address, these directly addressed packets get through the firewall.
The reason these packets are not dropped by my filter:FORWARD chain is because, at that point, the destination IP is 192.168.0.99 regardless of whether the destination was NATted or not. I.e., I do not how to create a filtering rule that says "allow traffic from eth0 to 192.168.0.99 on eth1, but only if it was NATted".
I can certainly drop the directly addressed packets in the mangle:PREROUTING chain, either by adding a rule that tests for and drops all possible local subnets IP address destinations on incoming eth0 traffic or, probably more cleanly, add a rule in mangle:PREROUTING that only allows through packets from eth0 with a destination IP of 10.0.0.1, but it seems like the iptables guidlelines are to only do filtering in the filter table.
I also did some research on /proc settings but could not find one that seemed to meet my needs.
The other option I was considering was to define some advanced routing stuff, but I have not really looked into that in detail yet.
Any advice would be greatly appreciated. Hopefully this is simply one of those "d'oh!" kinds of things and I have missed a very easy answer somewhere. 

Thanks,

- Andrew Kraslavsky

_________________________________________________________________
Find a local pizza place, movie theater, and more?.then map the best route! http://maps.live.com/?icid=hmtag1&FORM=MGAC01
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux