On Tuesday 03 February 2004 17:42, Ken Rossman wrote: > I am working with a company that has a LAN with an existing, dual-homed, > Red Hat system being used as a router/firewall. We are planning on > putting > up a second router out to the Internet at large, and I'm wondering if I > need > to make special considerations to prevent unwanted routing THROUGH this > site: > > > +--------+ > > |Internet| > > +--------+ > / \ > / \ > RTR1 RTR2 > > > <---+--------------+---> > (local LAN) > > I assume it's possible for a site out on the Internet, trying to reach > another > site out on the internet (neither being on the local LAN) to manage to > find > a route THROUGH this local net. the external IPs are fixed, right? > > I want to prevent this. Would the best way to do this be to use > iptables to > disallow ALL packets between RTR1 and RTR2? Is there a better way to > do this? you could use connection tracking - drop all packets that are not part of an existing/related connection. (Be aware that this takes more memory than normal iptables rules) > What would be any additional ramifications of doing the iptables DROP > setup above? > > tnx, > KR > > > Ken Rossman > rossman@xxxxxxxxxxxx -- Stuart Sears RHCE, RHCX -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
