Re: IP-Tables spoof protection problem with 2 interfaces
Have you used iproute2 to create split routing per The Advanced Routing
HOWTO at
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html ?
On Tue, 2004-09-21 at 12:45, Fabian Strachanski wrote:
> Hello everyone,
> i've a problem with a dual homed host and the configuration of spoof
> protection.
>
> The host is a Linux box with two interfaces:
> OS-Version : Red Hat Linux release 9 (Shrike)
> Kernel-Release : 2.4.20-24.9smp
> CPU : 0 - 1 Intel(R) Pentium(R) 4 CPU 2.80GHz
> CPU : 1 - 2 Intel(R) Pentium(R) 4 CPU 2.80GHz
> Interface : eth0 X.X.4.43 X.X.4.255 (public class B net)
> Interface : eth1 X.X.1.43 X.X.1.255 (public class B net)
>
> /---------------------------------------------\
> / internet \
> | |
> \ /
> ----------------------------------------------
> | |
> router 1 router 2
> | |
> | ---------- |
> subnet X.X.1.x -- eth1-| server |-eth0 -- subnet X.X.4.x
> ----------
>
> Extraction from the script:
> ...
> IF_0=eth0
> IF_1=eth1
> ...
> HOST="`/bin/hostname`"
> ...
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
> ...
> # spoof protection
> ${IPTABLES} -A INPUT -s $HOST -i $IF_0 -j DROP
> ${IPTABLES} -A INPUT -s $HOST -i $IF_1 -j DROP
> ...
>
> Observed problems:
> * Enabling "rp_filter" causes some of my ssh-connection to freeze (no
> response,
> my computer is part of the internet);
> pinging both interfaces from a maschine in the internet fails, one of
> them is
> not reachable; pinging them from a host within the subnet is possible
> * Enabling the input-firewall-rules has the effect of a delay of a few
> minutes(!) when starting the script.
>
> The aim of the "firewall"-script is to protect the host against undesired
> connections. I need an advice.
>
> thanx
> R.
Regards,
Peter
Reply to: