[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

At 10.12.2001, mdevin wrote:
> On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote:
> > rp_filter will not help with that.

...because rp_filter filters the _source_ address and not the

> Now, please explain what an attacker would do in your example above.  Do
> you mean the following?:

I try to explain again:

You have a Linux box with "eth0" and "eth1". "eth0" is the Internet
interface, "eth1" is the interface to the LAN.

IP addresses: eth0 -
              eth1 -

You want remote access from your LAN to the Linux Box with ssh. So you
bind the sshd to and think, now the sshd is only reachable
from your LAN.

The atacker is client at the same provider than you are and in the same
network segment (sorry for my english!).

The atacker sets a route like this:

route add gw

And now "ssh" will work without routing on _your_ box
activated. So the FORWARD chain from ipchains will not work for that.

> If I have got the reasoning correct, then I can see the problem.  It
> would seem easy to do this from the LAN, but I don't think possible from
> the internet - since packets with destination would not get
> routed.

Yes, _if_ they will not be routet from the atacker to you. But can you
be shure? Waht, if the atacker is client by your ISP too?

With ipchains you can make the following:

ipchains -A input -i ! eth1 -d -j DENY

You also can specify the whole private network or something like that.

> Second question:
> Why does the state INVALID match match these packets.  Are they flagged
> as invalid because they have come in from eth0 but with a destination of
> (which should be impossible)?

I don't know. I am not very experianced with iptables.

Regards, Guido
Nota bene: wenn Word für Längeres geeignet wäre, würde es schließlich
nicht Word, sondern Sentence, Page oder Article heißen
-Matthias Mühlich in dctt

Reply to: