[GRLUG] iptables

Kaminski, Dennis J Dennis.Kaminski at dematic.com
Thu Feb 15 10:27:13 EST 2007


I'm not sure where my problem was. I started over, went through the same
steps and got it working. Wow, that sounds like an end user statement.

My objective of using nat is to allow the use of iptables to restrict
access to some boxes that don't allow access to the operating system or
vendor supplied application.

I now understand how to do this with nat. 

Godwin,
I don't understand your suggestion of moving Other3 to a vlan. Keeping
the same IP address on the machine is preferable. I understand the vlan
part, but which device would be able to restrict access? The switch
involved, a HP2824 Procurve is considered a managed switch but I can't
find anything resembling iptables or ipfilter on it.

Thanks.

Dennis J Kaminski


-----Original Message-----
From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On Behalf
Of Godwin
Sent: Tuesday, February 13, 2007 1:48 AM
To: grlug at grlug.org
Subject: Re: [GRLUG] iptables

Seriously though, the best way to do it is probably to setup Other3 on
172.16.0.30/255.255.255.252 and create a vlan on a managed switch.
Don't trust dem Winderz guys...  ;-)

That said (after NAT'ing), your FORWARD chain should have:

iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -o eth1 -d
192.168.0.30/32 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.0.30/32 -o eth0 -d
172.16.0.0/16 -j ACCEPT

But since Other3 is the only one on the 192.x subnet, this is no
different than just setting the FORWARD chain w/ an ACCEPT policy and
calling it quits.

This is just quick-n-dirty to let traffic flow.  You should probably
do more packet tweaking/filtering 'cause the only defense you've
created is against malices that stay within the same broadcast domain.

G-


On 2/12/07, Kaminski, Dennis J <Dennis.Kaminski at dematic.com> wrote:
> Thanks for the response Rick,
>
> Here's the Linux2 routing table.
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
Use
> Iface
> 192.168.0.0     *               255.255.255.0   U     0      0
0
> eth1
> 172.16.0.0      *               255.255.255.0   U     0      0
0
> eth0
> 169.254.0.0     *               255.255.0.0     U     0      0
0
> eth1
> default         virtualrtr      0.0.0.0         UG    0      0
0
> eth0
>
>
> Dennis J Kaminski
>
> -----Original Message-----
> From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On
Behalf
> Of Rick Vargo
> Sent: Monday, February 12, 2007 3:49 PM
> To: grlug at grlug.org
> Subject: Re: [GRLUG] iptables
>
> What does the routing table on Linux2 look like?
>
> Rick
>
>
> Kaminski, Dennis J wrote:
> >
> > I've been using iptables for years for security on each individual
> > box. I thought I understood it, but I'm having some trouble with
> > address translation.
> >
> > The 3 boxes involved used to all be on the same network.
> > Linux1,                 eth0 172.16.0.10/255.255.255.0
> > Linux2,         eth0 172.16.0.20/255.255.255.0
> > Other3,                 eth0 172.16.0.30/255.255.255.0
> >
> > There are some security issues on Other3 (non-linux). I'm trying to
> > move it to a different network, but still have it be accessible on
its
>
> > original address and restrict access using iptables on Linux2. I
> > thought the following would work, but it doesn't.
> >
> > Linux1,         eth0 172.16.0.10/255.255.255.0 (same)
> >
> > Linux2, eth0 172.16.0.20/255.255.255.0 (same)
> >                 eth1 192.168.0.20/255.255.255.0 (new)
> >
> > Other3,         eth0 192.168.0.30/255.255.255.0 (changed)
> >
> > The default route on Other3 is Linux2 (192.168.0.20).
> >
> > On Linux2, ip forwarding is turned on (/proc/sys/net/ipv4/ip_forward
> > is set to 1) and the iptables contains
> >
> > iptables -F
> > iptables -t nat -F
> > iptables -t mangle -F
> > iptables -t filter -F
> >
> > #       set policies
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> >
> > iptables -t nat -A PREROUTING  -d 172.16.0.30  -i eth0 -j DNAT
> > --to-destination 192.168.0.30
> > iptables -t nat -A POSTROUTING -s 192.168.0.30 -j SNAT --to-source
> > 172.16.0.30 -o eth0
> > iptables -A FORWARD -d 172.16.0.30  -j ACCEPT
> > iptables -A FORWARD -d 192.168.0.30 -j ACCEPT
> > iptables -A FORWARD -s 172.16.0.30  -j ACCEPT
> > iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
> >
> > iptables -A INPUT -s 172.16.0.0/255.255.255.0 -j ACCEPT
> > iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
> >
> > I can ssh from Linux2 to Other3 and from Other3 to Linux2, BUT there
> > is a long pause (about 40 seconds) before it asks for the password.
> >
> > From Other3 I can ping both ip addresses of Linux2 (172.16.0.20 and
> > 192.168.0.20), but I cannot ping Linux1 (172.16.0.10)
> >
> > Does anyone have any words of advice?
> >
> > Thanks.
> >
> > *Dennis Kaminski*
> >
> >
> >
>
------------------------------------------------------------------------
> >
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>


-- 

Ubber::Geek
http://grlug.org/
_______________________________________________
grlug mailing list
grlug at grlug.org
http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug


More information about the grlug mailing list