Jesse Molina wrote:
Hello
I've googled all over and I don't really see an obvious answer to the
question that I have.
Here is my situation: I have a GNU/Linux host performing very typical
firewall duties; two interfaces, one with an Internet public IP and
another interface on an RFC1918 net. Hosts on the RFC1918 net have
iptables SNATs to public IPs and then I filter to allow some services in
and others not, with stateful inspection in forwarding.
Normally, in order to get the multiple public IPs for these SNAT'ed
hosts to respond to arp requests from the firewall, I simply add them as
secondary IPs on the public interface of the firewall (eth0:1, eth0:2,...).
The problem with this is that the firewall itself runs some services and
they have the potential to use these secondary IPs as their ephemeral
source addresses when they reach out to something on the Internet!
That's bad, as those IPs should be exclusively used by only the hosts
for which they were designed for. Assume I have no control over the
applications which bind to a local interface to use for their outbound
session traffic.
Packets that originate on the firewall machine itself go through the
OUTPUT chain. Forwarded packets from the RFC1918 net do not. Block
the packets in the OUTPUT chain of the filter table.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
