Re: iptables, 3 ethernet cards
>I have such firewall: (fragment)
>
>#eth0 - local 10.10.1.1
>#eth1 - local 192.168.1.1
>#eth2 - world 213...
>
>EXTERNAL=`ifconfig eth2 | grep "addr:" | cut -d: -f2 | cut -d" " -f1`
>
>iptables -P FORWARD DROP
>iptables -A FORWARD -i eth2 -j ACCEPT
>
>iptables -A FORWARD -i eth0 -s 10.10.1.0/24 -j ACCEPT
>iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
>
>iptables -t nat -A POSTROUTING -o eth2 -j SNAT -s 192.168.1.0/24 --to
${EXTERNAL}
>iptables -t nat -A POSTROUTING -o eth2 -j SNAT -s 10.10.1.0/24 --to ${EXTERNAL}
>
>Why if I connect to eth1 with for example IP 10.10.1.10 I have open world ?
>The same if I connect to eth0 with for exsmple IP 192.168.1.10 I have open
world too.
>I want block it !
>Please help !
>
>/* sorry for my english :-) */
I'm not a wizard, let them correct me if I'm wrong...
As you are setting the incoming interface along with the source IP, I think you
would have no problems with that. On my script I have these additional rules to
avoid IP misconfiguration and spoofing:
# ** Pre-routing **
echo -n "To avoid spoofing..."
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 10.0.0.0/8 -j DROP
echo "ok!"
You could add such DROP policies for internal IPs coming from wrong internal
interfaces. As they are on the Prerouting chain, they apply even before you
reach the forward chain, giving you some extra protection.
I'm not sure why you need this rule, though: iptables -A FORWARD -i eth2 -j
ACCEPT
Could you enlighten me?
Regards,
Breno Moiana
-------------------------------------------------------------
Science is organized knowledge. Wisdom is organized life."
"Ciência é conhecimento organizado. Sabedoria é vida organizada."
-- Immanuel Kant
Reply to: