[H-GEN] IPTables problem

Nikolai Lusan nikolai at humbug.org.au
Mon Jul 19 01:10:20 EDT 2004 

On Mon, 2004-07-19 at 14:31, Harry Phillips wrote:
> I have a firewall appliance on a client's site that has only basic 
> firewall configuration ability's. You can get it to forward a port on 
> the external interface to a port on an internal host, that's it. I want 
> to restrict who can connect to that port. At the moment anyone on the 
> entire Internet can connect in.

Well you need some sort of router to drop the packets you don't want to
see. (there are some know "firewall appliances" that run linux, you can
get the firmware images and write your own iptables rules the upload the
new firmware.)

> it so that the single NIC has an IP of 192.168.1.1 and an alias of 
> 192.168.1.4
> 
> I do not want any restrictions on the first IP. I have tried to 
> configure iptables on the server to restrict what hosts can connect to 
>
> It still allows *anyone* to connect to port 22 on the IP address 
> 192.168.1.4, why? Is it because the second IP is just an alias?

Here is the rub, in order to do what you want to do something needs to
drop the packets before they get to the machine (unless the machine
itself drops them), does your network look like this:

                 _________
 Internet|------|firewall |------|LAN (with server and forwarded host)
                |appliance|
                 --------- 


or this

                _________       ______
 Internet|-----|firewall |-----|Server|-----|LAN (With forwarded host)
               |appliance|      ------
                --------- 


Ulsess it is the second layout your server will never see the packets
you want it to drop.

Of course the other option is that you have a mid to high end Cisco
switch there that can do the filtering for you, but I am assuming this
is not the case because if you had such a switch you wouldn't have a
"firewall appliance"[1].

> If I can't get this worked out then I am more than likely going to stick 
> in a second NIC to the server and get it to do all the masquerading.

The best option is probably to stick something between the "firewall
appliance" and the rest of the lan, something that can do some real
filtering/NATing/routeing.


Nikolai

[1] so does it make toast, waffles or ice? ;)

More information about the General mailing list