[clug] Firewall rules for CentOS 4.4
Christopher Zhang
u4123459 at anu.edu.au
Sat Mar 10 09:19:00 GMT 2007
Suppose you have eth0: 192.168.1.0/24, gateway 192.168.1.1
eth1: 192.168.2.0/24, gateway 192.168.2.1
and suppose you use CentOS as your gateway/router. so it will have
two addresses, 192.168.1.1 and 192.168.2.1
A machine connected to eth0 with a 192.168.2.0/24 address won't be
able to talk to the NFS server (assuming your NFS server is in
192.168.2.0/24 subnet). This is because for a 'fake' 192.168.2.0/24
(physically connected to eth0) to access outside its own subnet it
needs to go through gateway 192.168.2.1. whereas 192.168.2.1 cannot
be reached as it is on eth1.
In other words, as long as a machine is connected to eth0, it has to
go through 192.168.1.1 before it reaches other subnets.
I think your iptables rules can do what you want, but it may not be
necessary.
Or just a thought, maybe you can ask you router to do this: iptables -
t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j SNAT --to
192.168.1.1 . this is to change the source address of the outgoing
traffic through eth0 to 192.168.1.1 if the source address is
192.168.2.0/24 .
I have a whole bunch of assumptions but I hope the way you setup your
network doesn't deviate too much from them.
Chris
On 10/03/2007, at 6:10 PM, Ben wrote:
> I have a CentOS 4.4 box with:
> eth0: 192.168.1.x subnet: 255.255.255.0
> eth1: 192.168.2.x subnet: 255.255.255.0
>
>
> I'm using NFS and restricting access by port range and I want
> 192.168.2.0/24 to have access to stuff that 192.168.1.0/24 doesn't.
>
> I thought that by having separate NICs on separate networks, each with
> their own subnet would address this issue, but if someone sets up a
> 192.168.2.x address on the same network as eth0 (and anyone could do
> this), I was told there might be a possiblity of them doing something
> to the NFS share intended for the 192.168.2.0/24 subnet.
>
> I want to create an iptables rule that drops any packets coming in
> through eth0 that have anything to do with 192.168.2.0/24 just to be
> on the safe side.
>
> After reading the man pages I've come up with the following, to be put
> at the top of the rules in /etc/sys-config/iptables (just before the
> other rules starting with "-A RH-Firewall-1")
>
> -A RH-Firewall-1-INPUT -i eth0 -s 192.168.2.0/24 -j DROP
> -A RH-Firewall-1-INPUT -i eth0 -d 192.168.2.0/24 -j DROP
>
> Will this do what I want?
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
More information about the linux
mailing list