IP-Tables spoof protection problem with 2 interfaces
Hello everyone,
i've a problem with a dual homed host and the configuration of spoof
protection.
The host is a Linux box with two interfaces:
OS-Version : Red Hat Linux release 9 (Shrike)
Kernel-Release : 2.4.20-24.9smp
CPU : 0 - 1 Intel(R) Pentium(R) 4 CPU 2.80GHz
CPU : 1 - 2 Intel(R) Pentium(R) 4 CPU 2.80GHz
Interface : eth0 X.X.4.43 X.X.4.255 (public class B net)
Interface : eth1 X.X.1.43 X.X.1.255 (public class B net)
/---------------------------------------------\
/ internet \
| |
\ /
----------------------------------------------
| |
router 1 router 2
| |
| ---------- |
subnet X.X.1.x -- eth1-| server |-eth0 -- subnet X.X.4.x
----------
Extraction from the script:
...
IF_0=eth0
IF_1=eth1
...
HOST="`/bin/hostname`"
...
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
...
# spoof protection
${IPTABLES} -A INPUT -s $HOST -i $IF_0 -j DROP
${IPTABLES} -A INPUT -s $HOST -i $IF_1 -j DROP
...
Observed problems:
* Enabling "rp_filter" causes some of my ssh-connection to freeze (no
response,
my computer is part of the internet);
pinging both interfaces from a maschine in the internet fails, one of
them is
not reachable; pinging them from a host within the subnet is possible
* Enabling the input-firewall-rules has the effect of a delay of a few
minutes(!) when starting the script.
The aim of the "firewall"-script is to protect the host against undesired
connections. I need an advice.
thanx
R.
Reply to: