Re: IP-Tables spoof protection problem with 2 interfaces
--- Fabian Strachanski <fabian@zorro.uni-duisburg.de> wrote:
> Hello everyone,
> i've a problem with a dual homed host and the configuration of spoof
> protection.
>
> The host is a Linux box with two interfaces:
> OS-Version : Red Hat Linux release 9 (Shrike)
> Kernel-Release : 2.4.20-24.9smp
> CPU : 0 - 1 Intel(R) Pentium(R) 4 CPU 2.80GHz
> CPU : 1 - 2 Intel(R) Pentium(R) 4 CPU 2.80GHz
> Interface : eth0 X.X.4.43 X.X.4.255 (public class B net)
> Interface : eth1 X.X.1.43 X.X.1.255 (public class B net)
>
> /---------------------------------------------\
> / internet \
> | |
> \ /
> ----------------------------------------------
> | |
> router 1 router 2
> | |
> | ---------- |
> subnet X.X.1.x -- eth1-| server |-eth0 -- subnet X.X.4.x
> ----------
>
> Extraction from the script:
> ...
> IF_0=eth0
> IF_1=eth1
> ...
> HOST="`/bin/hostname`"
> ...
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
> ...
> # spoof protection
> ${IPTABLES} -A INPUT -s $HOST -i $IF_0 -j DROP
> ${IPTABLES} -A INPUT -s $HOST -i $IF_1 -j DROP
IFIRC...
ssh uses the ethernet device for tunnels(and X11), this might cause your
ssh to stall.
Connections are made to the IP the client connected too. When I use an
ethernet sniffer, on the local host, I get these pkts. I don't think that
even a hubed host would acctualy be sniffable from other hosts.
> ...
>
> Observed problems:
> * Enabling "rp_filter" causes some of my ssh-connection to freeze (no
> response,
> my computer is part of the internet);
> pinging both interfaces from a maschine in the internet fails, one of
> them is
> not reachable; pinging them from a host within the subnet is possible
> * Enabling the input-firewall-rules has the effect of a delay of a few
> minutes(!) when starting the script.
>
> The aim of the "firewall"-script is to protect the host against
> undesired
> connections. I need an advice.
>
> thanx
> R.
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
Reply to: