[GRLUG] iptables

Godwin geektoyz at gmail.com
Tue Feb 13 01:48:23 EST 2007


Seriously though, the best way to do it is probably to setup Other3 on
172.16.0.30/255.255.255.252 and create a vlan on a managed switch.
Don't trust dem Winderz guys...  ;-)

That said (after NAT'ing), your FORWARD chain should have:

iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -o eth1 -d
192.168.0.30/32 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.0.30/32 -o eth0 -d
172.16.0.0/16 -j ACCEPT

But since Other3 is the only one on the 192.x subnet, this is no
different than just setting the FORWARD chain w/ an ACCEPT policy and
calling it quits.

This is just quick-n-dirty to let traffic flow.  You should probably
do more packet tweaking/filtering 'cause the only defense you've
created is against malices that stay within the same broadcast domain.

G-


On 2/12/07, Kaminski, Dennis J <Dennis.Kaminski at dematic.com> wrote:
> Thanks for the response Rick,
>
> Here's the Linux2 routing table.
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.0.0     *               255.255.255.0   U     0      0        0
> eth1
> 172.16.0.0      *               255.255.255.0   U     0      0        0
> eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        0
> eth1
> default         virtualrtr      0.0.0.0         UG    0      0        0
> eth0
>
>
> Dennis J Kaminski
>
> -----Original Message-----
> From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On Behalf
> Of Rick Vargo
> Sent: Monday, February 12, 2007 3:49 PM
> To: grlug at grlug.org
> Subject: Re: [GRLUG] iptables
>
> What does the routing table on Linux2 look like?
>
> Rick
>
>
> Kaminski, Dennis J wrote:
> >
> > I've been using iptables for years for security on each individual
> > box. I thought I understood it, but I'm having some trouble with
> > address translation.
> >
> > The 3 boxes involved used to all be on the same network.
> > Linux1,                 eth0 172.16.0.10/255.255.255.0
> > Linux2,         eth0 172.16.0.20/255.255.255.0
> > Other3,                 eth0 172.16.0.30/255.255.255.0
> >
> > There are some security issues on Other3 (non-linux). I'm trying to
> > move it to a different network, but still have it be accessible on its
>
> > original address and restrict access using iptables on Linux2. I
> > thought the following would work, but it doesn't.
> >
> > Linux1,         eth0 172.16.0.10/255.255.255.0 (same)
> >
> > Linux2, eth0 172.16.0.20/255.255.255.0 (same)
> >                 eth1 192.168.0.20/255.255.255.0 (new)
> >
> > Other3,         eth0 192.168.0.30/255.255.255.0 (changed)
> >
> > The default route on Other3 is Linux2 (192.168.0.20).
> >
> > On Linux2, ip forwarding is turned on (/proc/sys/net/ipv4/ip_forward
> > is set to 1) and the iptables contains
> >
> > iptables -F
> > iptables -t nat -F
> > iptables -t mangle -F
> > iptables -t filter -F
> >
> > #       set policies
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> >
> > iptables -t nat -A PREROUTING  -d 172.16.0.30  -i eth0 -j DNAT
> > --to-destination 192.168.0.30
> > iptables -t nat -A POSTROUTING -s 192.168.0.30 -j SNAT --to-source
> > 172.16.0.30 -o eth0
> > iptables -A FORWARD -d 172.16.0.30  -j ACCEPT
> > iptables -A FORWARD -d 192.168.0.30 -j ACCEPT
> > iptables -A FORWARD -s 172.16.0.30  -j ACCEPT
> > iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
> >
> > iptables -A INPUT -s 172.16.0.0/255.255.255.0 -j ACCEPT
> > iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
> >
> > I can ssh from Linux2 to Other3 and from Other3 to Linux2, BUT there
> > is a long pause (about 40 seconds) before it asks for the password.
> >
> > From Other3 I can ping both ip addresses of Linux2 (172.16.0.20 and
> > 192.168.0.20), but I cannot ping Linux1 (172.16.0.10)
> >
> > Does anyone have any words of advice?
> >
> > Thanks.
> >
> > *Dennis Kaminski*
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>


-- 

Ubber::Geek
http://grlug.org/


More information about the grlug mailing list