Re: routing based on source IP

To: debian-firewall@lists.debian.org
Subject: Re: routing based on source IP
From: Mickey Mullin <mickey@dreamwolf.us>
Date: Sun, 04 Jan 2004 17:17:11 -0500
Message-id: <[🔎] 3FF890E7.2020606@dreamwolf.us>
In-reply-to: <[🔎] Pine.LNX.4.21.0401042242400.8338-100000@dipolo.dicea.unifi.it>
References: <[🔎] Pine.LNX.4.21.0401042242400.8338-100000@dipolo.dicea.unifi.it>

Leonardo Boselli wrote:

On Sun, 4 Jan 2004, Mickey Mullin wrote:

Leonardo Boselli wrote:
> eth0:2 is a virtual port with a 172.16 address for private hosts (dhcp
> supply such addresses with our host as a gateway)
It's not always a great idea to have your public and private networks onthe same ethernet port. Depending on the card, you may have seriousperformance issues, not to mention a potential security hole.


I tried using two different cards, and had more problem (incidentally: the
sistem used both card for both addresses so, althought it worked two times
faster [using two ports on the switch] logging and moinitoring was full
of warning about an address change ..)
For security concerns: Having separate would be nice, but in some cases i
cannot avoid the possibility that someone plug a machine that have to have
a private address on the "public" network. I have in effect some other way

to avoid abuses.

That can be handled with an iptables rule. Only accept traffic on aninterface that has an address on the subnet you specify:


iptables -A INPUT -i $pub_if -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $pub_if -s 172.16.0.0/16 -j DROP

or, more likely, a longer set of ACCEPT rules about source address anddestination addresses from the public interface.

You can use NAT and MASQUERADE to give the folks on the private networkaccess to the public internet. Mixing the two networks plays havoc withyour security rules.

> Requirements:
> 1. sourcing from the host itself (that runs apache-ssl squid andexim-4 and all these programs do no have problem in regognizing the sorcue of
> request ) except 5


I try to explain better: I need to have both separate firewall rules and
route tables if the packet is originated by the router itself or one of
assigned addresses (that is the dialin ports, that can be considered as
local users), in which case no firewall rule should be in effect and
routing is normal; or the packet enter from eth0/1/2 to be routed in which
case the routing table and firewall table is different .


Packets originating from the router itself go out through the OUTPUT chain:


# Policy: allow all packets originating from the router
iptables -P OUTPUT ACCEPT

Packets that come from other networks through the interfaces are handledin the INPUT and FORWARD chains:


# Policy: if we don't explicity allow them, ignore them
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Accept packets from the internal interface from the
# private network bound for this box
iptables -A INPUT -i $private_if -s 192.168.0.0/24 -j ACCEPT

# Accept packets from the internal interface from the
# private network due to be routed
iptables -A FORWARD -i $private_if -s 192.168.0.0/24 -j ACCEPT

(You'll probably also have one or more entries for "iptables -t nat ..."to handle that last rule.)

> 4.  coming from eth1 only packets to that address.

iptables -A INPUT -i eth1 -d $eth1_ip -j ACCEPT


should i add a deny rule to avoid someone on eth2 try to talk to the
address at the other end of eth1 ?

I prefer to handle those with DROP policies (see above). If there's nota rule to ACCEPT the packet, drop it on the floor.

tnx for help


I try.  There are many who are much better than I am, but I'm verbal.  :)

mickey

Reply to:

References:
- Re: routing based on source IP
  - From: Leonardo Boselli <leo@dicea.unifi.it>

Prev by Date: Re: routing based on source IP
Next by Date: Re: ADSL Router.
Previous by thread: Re: routing based on source IP
Next by thread: Re: routing based on source IP
Index(es):
- Date
- Thread