Does anyone know the answer to this one???
I'm configuring a firewall that's got an eth0 link to the internet & an eth1 link to an internal subnet (172.16.2.0).
I've put in this rule to stop all ssh access to a PC (192.16.2.120) on the subnet via the firewall:
iptables -A FORWARD -p tcp -s 0/0 -d 172.16.2.120 --dport 22 -j DROP
however, this rule is still allowing other PCs on the subnet to connect to the PC. I've also tried the following rules, even to the point of specify an individual source PC on the subnet & dropping all ssh traffic to the destination PC & changing the FORWARD policy to DROP:
iptables -A FORWARD -p tcp -s 172.16.2.0/24 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -s 172.16.2.220 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -d 172.16.2.120 --dport -j DROP
iptables -P FORWARD DROP
Yet i can still contact the destination PC from another PC on the subnet. I've read & read & read till I'm blue in the face & can't for the life in me figure out why this isn't working!!
Does anybody have any suggestions???
Cheers
Home About Buy online Blog Archives Newsletters Subscribe Contact
Linux Format forums
Help, discussion, magazine feedback and more
Rules incorporating subnet addresses
Moderators: ChriThor, LXF moderators
5 posts
• Page 1 of 1
RE: Rules incorporating subnet addresses
by Nigel » Sun May 22, 2005 10:24 pm
Um, I may be misreading this, but why would traffic from one machine on the subnet to another machine on the same subnet be going through your firewall at all ? You need to set up something on 172.16.2.120 itself to drop all incoming ssh connections.
AFAIK the firewall will only affect connections that use that machine as a router (ie it needs to come in on one of your ethernet cards and go out on the other), or stuff that comes in on either card destined for the firewall box itself.
AFAIK the firewall will only affect connections that use that machine as a router (ie it needs to come in on one of your ethernet cards and go out on the other), or stuff that comes in on either card destined for the firewall box itself.
Hope this helps,
Nigel.
Nigel.
- Nigel
- LXF regular
- Posts: 1141
- Joined: Fri Apr 08, 2005 8:03 pm
- Location: Gloucestershire, UK
RE: Rules incorporating subnet addresses
by Guest » Sun May 22, 2005 11:46 pm
Thanks Nigel
That makes sense!
That makes sense!
- Guest
RE: Rules incorporating subnet addresses
by Guest » Mon May 23, 2005 9:28 am
Hmmm. but what concerns me here is how does a PC with an IP address like 192.16.2.20 succeed at all in communicating on a subnet id of 172.16.2.0 ??? typo in subnet id ?
Once that aspect is sorted, the challenge is to figure out how to test it correctly......if you have access to a second PC, best to set up a slow old dial-up connection to the Internet so you can "pretend" to be someone on the "public" side of the FW.
CharlieS.
Once that aspect is sorted, the challenge is to figure out how to test it correctly......if you have access to a second PC, best to set up a slow old dial-up connection to the Internet so you can "pretend" to be someone on the "public" side of the FW.
CharlieS.
- Guest
RE: Rules incorporating subnet addresses
by Nigel » Mon May 23, 2005 10:18 am
I'm guessing that the 192.16.2.20 was a typo as everything else in the post refers to 172.16.2.120...
Hope this helps,
Nigel.
Nigel.
- Nigel
- LXF regular
- Posts: 1141
- Joined: Fri Apr 08, 2005 8:03 pm
- Location: Gloucestershire, UK
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot] and 2 guests