From: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
To: Andrew Kraslavsky <andykras@xxxxxxxxxxx>
CC: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Blocking direct private IP address
Date: Thu, 1 Mar 2007 00:35:14 +0100 (MET)
On Feb 28 2007 15:20, Andrew Kraslavsky wrote:
>
> If I set up a host on the external/public network with a static route
that
> causes it to send traffic addressed to 192.168.0.0/24 to the 10.0.0.1
> external/public IP address of the firewall/router and then attempt to
access
> the Web server using 192.168.0.99 as the address, these directly
addressed
> packets get through the firewall.
I did not find the question in your mail, but:
Activate "rp_filter", and any hosts on 10.0.0.0/24 that uses a
non-10.0.0.0/24 address as source will be ignored.
Jan
--
Thanks for the pointer but the question here is about the destination IP
address, not the source.
When I create the DNAT rule, the private IP address to which I want my
public address to map suddenly becomes directly accessible to hosts on the
public network.
I.e. I want hosts on the public network to _have_to_ send traffic to the
public IP of 10.0.0.1 but, after adding that rule, they can actually send
traffic to that address _AND_ also directly to the private IP address of the
Web server at 192.168.0.99.
_________________________________________________________________
Find a local pizza place, movie theater, and more?.then map the best route!
http://maps.live.com/?icid=hmtag1&FORM=MGAC01
