Linux Format forums

RE: Rules incorporating subnet addresses

Nigel — Mon May 23, 2005 11:18 am

Author: Nigel

Posted: Mon May 23, 2005 11:18 am

I'm guessing that the 192.16.2.20 was a typo as everything else in the post refers to 172.16.2.120...

RE: Rules incorporating subnet addresses

Anonymous — Mon May 23, 2005 10:28 am

Author: Anonymous

Posted: Mon May 23, 2005 10:28 am

Hmmm. but what concerns me here is how does a PC with an IP address like 192.16.2.20 succeed at all in communicating on a subnet id of 172.16.2.0 ??? typo in subnet id ?

Once that aspect is sorted, the challenge is to figure out how to test it correctly......if you have access to a second PC, best to set up a slow old dial-up connection to the Internet so you can "pretend" to be someone on the "public" side of the FW.

CharlieS.

RE: Rules incorporating subnet addresses

Anonymous — Mon May 23, 2005 12:46 am

Author: Anonymous

Posted: Mon May 23, 2005 12:46 am

Thanks Nigel

That makes sense!

RE: Rules incorporating subnet addresses

Nigel — Sun May 22, 2005 11:24 pm

Author: Nigel

Posted: Sun May 22, 2005 11:24 pm

Um, I may be misreading this, but why would traffic from one machine on the subnet to another machine on the same subnet be going through your firewall at all ? You need to set up something on 172.16.2.120 itself to drop all incoming ssh connections.

AFAIK the firewall will only affect connections that use that machine as a router (ie it needs to come in on one of your ethernet cards and go out on the other), or stuff that comes in on either card destined for the firewall box itself.

Rules incorporating subnet addresses

Anonymous — Sun May 22, 2005 6:24 pm

Author: Anonymous

Posted: Sun May 22, 2005 6:24 pm

Does anyone know the answer to this one???

I'm configuring a firewall that's got an eth0 link to the internet & an eth1 link to an internal subnet (172.16.2.0).

I've put in this rule to stop all ssh access to a PC (192.16.2.120) on the subnet via the firewall:

iptables -A FORWARD -p tcp -s 0/0 -d 172.16.2.120 --dport 22 -j DROP

however, this rule is still allowing other PCs on the subnet to connect to the PC. I've also tried the following rules, even to the point of specify an individual source PC on the subnet & dropping all ssh traffic to the destination PC & changing the FORWARD policy to DROP:

iptables -A FORWARD -p tcp -s 172.16.2.0/24 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -s 172.16.2.220 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -d 172.16.2.120 --dport -j DROP
iptables -P FORWARD DROP

Yet i can still contact the destination PC from another PC on the subnet. I've read & read & read till I'm blue in the face & can't for the life in me figure out why this isn't working!!

Does anybody have any suggestions???

Cheers