Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Rules incorporating subnet addresses

 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Help!
View previous topic :: View next topic  
Author Message
Missy
Guest





PostPosted: Sun May 22, 2005 6:24 pm    Post subject: Rules incorporating subnet addresses Reply with quote

Does anyone know the answer to this one???

I'm configuring a firewall that's got an eth0 link to the internet & an eth1 link to an internal subnet (172.16.2.0).

I've put in this rule to stop all ssh access to a PC (192.16.2.120) on the subnet via the firewall:

iptables -A FORWARD -p tcp -s 0/0 -d 172.16.2.120 --dport 22 -j DROP

however, this rule is still allowing other PCs on the subnet to connect to the PC. I've also tried the following rules, even to the point of specify an individual source PC on the subnet & dropping all ssh traffic to the destination PC & changing the FORWARD policy to DROP:

iptables -A FORWARD -p tcp -s 172.16.2.0/24 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -s 172.16.2.220 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -d 172.16.2.120 --dport -j DROP
iptables -P FORWARD DROP


Yet i can still contact the destination PC from another PC on the subnet. I've read & read & read till I'm blue in the face & can't for the life in me figure out why this isn't working!!

Does anybody have any suggestions???

Cheers
Back to top
Nigel
LXF regular


Joined: Fri Apr 08, 2005 9:03 pm
Posts: 1141
Location: Gloucestershire, UK

PostPosted: Sun May 22, 2005 11:24 pm    Post subject: RE: Rules incorporating subnet addresses Reply with quote

Um, I may be misreading this, but why would traffic from one machine on the subnet to another machine on the same subnet be going through your firewall at all ? You need to set up something on 172.16.2.120 itself to drop all incoming ssh connections.

AFAIK the firewall will only affect connections that use that machine as a router (ie it needs to come in on one of your ethernet cards and go out on the other), or stuff that comes in on either card destined for the firewall box itself.
_________________
Hope this helps,

Nigel.
Back to top
View user's profile Send private message
Guest






PostPosted: Mon May 23, 2005 12:46 am    Post subject: RE: Rules incorporating subnet addresses Reply with quote

Thanks Nigel

That makes sense!
Back to top
Guest






PostPosted: Mon May 23, 2005 10:28 am    Post subject: RE: Rules incorporating subnet addresses Reply with quote

Hmmm. but what concerns me here is how does a PC with an IP address like 192.16.2.20 succeed at all in communicating on a subnet id of 172.16.2.0 ??? typo in subnet id ?


Once that aspect is sorted, the challenge is to figure out how to test it correctly......if you have access to a second PC, best to set up a slow old dial-up connection to the Internet so you can "pretend" to be someone on the "public" side of the FW.

CharlieS.
Back to top
Nigel
LXF regular


Joined: Fri Apr 08, 2005 9:03 pm
Posts: 1141
Location: Gloucestershire, UK

PostPosted: Mon May 23, 2005 11:18 am    Post subject: RE: Rules incorporating subnet addresses Reply with quote

I'm guessing that the 192.16.2.20 was a typo as everything else in the post refers to 172.16.2.120...
_________________
Hope this helps,

Nigel.
Back to top
View user's profile Send private message
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Help! All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast