[GRLUG] iptables

Godwin geektoyz at gmail.com
Thu Feb 15 15:25:53 EST 2007 

vlans on switches generally only involve manipulation (and
restrictions) of MAC addresses (arp tables) on the switch.  Some
newer, "smart" switches can do IP routing as well.  By setting up
vlans, you can keep the same subnet (somewhat) and restrict traffic
flow per switch port.   Now, you've introduced another subnet into the
mix.

Hey, I'm an iptables nut.  On any given day, I'd rather restrict with
linux than any other device.  I just didn't see the need to have your
box become a device which now "needed" to be up (for
filtering/routing).

The way I tinker with my box, it's up one minute, rebooting the next
(upgrades, trials, reinstalls, etc.)   Other than security updates, I
like "set it and forget it" essential devices, which free my boxes for
playing.  ;-)

G-


On 2/15/07, Kaminski, Dennis J <Dennis.Kaminski at dematic.com> wrote:
> I'm not sure where my problem was. I started over, went through the same
> steps and got it working. Wow, that sounds like an end user statement.
>
> My objective of using nat is to allow the use of iptables to restrict
> access to some boxes that don't allow access to the operating system or
> vendor supplied application.
>
> I now understand how to do this with nat.
>
> Godwin,
> I don't understand your suggestion of moving Other3 to a vlan. Keeping
> the same IP address on the machine is preferable. I understand the vlan
> part, but which device would be able to restrict access? The switch
> involved, a HP2824 Procurve is considered a managed switch but I can't
> find anything resembling iptables or ipfilter on it.
>
> Thanks.
>
> Dennis J Kaminski
>
>
> -----Original Message-----
> From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On Behalf
> Of Godwin
> Sent: Tuesday, February 13, 2007 1:48 AM
> To: grlug at grlug.org
> Subject: Re: [GRLUG] iptables
>
> Seriously though, the best way to do it is probably to setup Other3 on
> 172.16.0.30/255.255.255.252 and create a vlan on a managed switch.
> Don't trust dem Winderz guys...  ;-)
>
> That said (after NAT'ing), your FORWARD chain should have:
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -o eth1 -d
> 192.168.0.30/32 -j ACCEPT
> iptables -A FORWARD -i eth1 -s 192.168.0.30/32 -o eth0 -d
> 172.16.0.0/16 -j ACCEPT
>
> But since Other3 is the only one on the 192.x subnet, this is no
> different than just setting the FORWARD chain w/ an ACCEPT policy and
> calling it quits.
>
> This is just quick-n-dirty to let traffic flow.  You should probably
> do more packet tweaking/filtering 'cause the only defense you've
> created is against malices that stay within the same broadcast domain.
>
> G-
>
>
> On 2/12/07, Kaminski, Dennis J <Dennis.Kaminski at dematic.com> wrote:
> > Thanks for the response Rick,
> >
> > Here's the Linux2 routing table.
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref
> Use
> > Iface
> > 192.168.0.0     *               255.255.255.0   U     0      0
> 0
> > eth1
> > 172.16.0.0      *               255.255.255.0   U     0      0
> 0
> > eth0
> > 169.254.0.0     *               255.255.0.0     U     0      0
> 0
> > eth1
> > default         virtualrtr      0.0.0.0         UG    0      0
> 0
> > eth0
> >
> >
> > Dennis J Kaminski
> >
> > -----Original Message-----
> > From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On
> Behalf
> > Of Rick Vargo
> > Sent: Monday, February 12, 2007 3:49 PM
> > To: grlug at grlug.org
> > Subject: Re: [GRLUG] iptables
> >
> > What does the routing table on Linux2 look like?
> >
> > Rick
> >
> >
> > Kaminski, Dennis J wrote:
> > >
> > > I've been using iptables for years for security on each individual
> > > box. I thought I understood it, but I'm having some trouble with
> > > address translation.
> > >
> > > The 3 boxes involved used to all be on the same network.
> > > Linux1,                 eth0 172.16.0.10/255.255.255.0
> > > Linux2,         eth0 172.16.0.20/255.255.255.0
> > > Other3,                 eth0 172.16.0.30/255.255.255.0
> > >
> > > There are some security issues on Other3 (non-linux). I'm trying to
> > > move it to a different network, but still have it be accessible on
> its
> >
> > > original address and restrict access using iptables on Linux2. I
> > > thought the following would work, but it doesn't.
> > >
> > > Linux1,         eth0 172.16.0.10/255.255.255.0 (same)
> > >
> > > Linux2, eth0 172.16.0.20/255.255.255.0 (same)
> > >                 eth1 192.168.0.20/255.255.255.0 (new)
> > >
> > > Other3,         eth0 192.168.0.30/255.255.255.0 (changed)
> > >
> > > The default route on Other3 is Linux2 (192.168.0.20).
> > >
> > > On Linux2, ip forwarding is turned on (/proc/sys/net/ipv4/ip_forward
> > > is set to 1) and the iptables contains
> > >
> > > iptables -F
> > > iptables -t nat -F
> > > iptables -t mangle -F
> > > iptables -t filter -F
> > >
> > > #       set policies
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT ACCEPT
> > > iptables -P FORWARD DROP
> > >
> > > iptables -t nat -A PREROUTING  -d 172.16.0.30  -i eth0 -j DNAT
> > > --to-destination 192.168.0.30
> > > iptables -t nat -A POSTROUTING -s 192.168.0.30 -j SNAT --to-source
> > > 172.16.0.30 -o eth0
> > > iptables -A FORWARD -d 172.16.0.30  -j ACCEPT
> > > iptables -A FORWARD -d 192.168.0.30 -j ACCEPT
> > > iptables -A FORWARD -s 172.16.0.30  -j ACCEPT
> > > iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
> > >
> > > iptables -A INPUT -s 172.16.0.0/255.255.255.0 -j ACCEPT
> > > iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
> > >
> > > I can ssh from Linux2 to Other3 and from Other3 to Linux2, BUT there
> > > is a long pause (about 40 seconds) before it asks for the password.
> > >
> > > From Other3 I can ping both ip addresses of Linux2 (172.16.0.20 and
> > > 192.168.0.20), but I cannot ping Linux1 (172.16.0.10)
> > >
> > > Does anyone have any words of advice?
> > >
> > > Thanks.
> > >
> > > *Dennis Kaminski*
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > grlug mailing list
> > > grlug at grlug.org
> > > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> >
>
>
> --
>
> Ubber::Geek
> http://grlug.org/
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>


-- 

Ubber::Geek
http://grlug.org/

More information about the grlug mailing list