On Wed, 2002-03-13 at 12:27, Jean-Marc V. Liotier wrote: > On Wed, 2002-03-13 at 11:27, jsalord@publicom1010.com wrote: > > > > There have to be some kind of routing now because I can connect to my apache > > typing the two IPs even I've just one cable connected to eth0. > > You have to explicitely block and log spoof attempts. For example, if > you have eth0 on 192.168.0.0/24 and eth1 on 192.168.1.0/24 > > /sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j LOG > /sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP > /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j LOG > /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j DROP > > This way packets will only be accepted if they come in through the > "right" interface, and you will be alerted if some don't. Actually, the previous commands assume that the entire universe is only made from the two example subnets. The following one is more realistic : # If a packet comes to eth0 and it's source is not 192.168.1.0/24 # then drop it and log it. /sbin/iptables -A INPUT -i eth1 -s ! 192.168.1.0/24 -j LOG /sbin/iptables -A INPUT -i eth1 -s ! 192.168.1.0/24 -j DROP # Same for the other interface/subnet couple. /sbin/iptables -A INPUT -i eth0 -s ! 192.168.0.0/24 -j LOG /sbin/iptables -A INPUT -i eth0 -s ! 192.168.0.0/24 -j DROP
Attachment:
signature.asc
Description: This is a digitally signed message part