[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: two ethernet without routing

On Wed, 2002-03-13 at 12:27, Jean-Marc V. Liotier wrote:
> On Wed, 2002-03-13 at 11:27, jsalord@publicom1010.com wrote:
> > 
> > There have to be some kind of routing now because I can connect to my apache
> > typing the two IPs even I've just one cable connected to eth0.
> You have to explicitely block and log spoof attempts. For example, if
> you have eth0 on and eth1 on
> /sbin/iptables -A INPUT -i eth1 -s -j LOG
> /sbin/iptables -A INPUT -i eth1 -s -j DROP
> /sbin/iptables -A INPUT -i eth0 -s -j LOG
> /sbin/iptables -A INPUT -i eth0 -s -j DROP
> This way packets will only be accepted if they come in through the
> "right" interface, and you will be alerted if some don't.

Actually, the previous commands assume that the entire universe is only
made from the two example subnets. The following one is more realistic :

# If a packet comes to eth0 and it's source is not
# then drop it and log it.
/sbin/iptables -A INPUT -i eth1 -s ! -j LOG
/sbin/iptables -A INPUT -i eth1 -s ! -j DROP
# Same for the other interface/subnet couple.
/sbin/iptables -A INPUT -i eth0 -s ! -j LOG
/sbin/iptables -A INPUT -i eth0 -s ! -j DROP

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: