Rules incorporating subnet addresses

The place to post if you need help or advice

Moderators: ChrisThornett, LXF moderators

Rules incorporating subnet addresses

Postby Missy » Sun May 22, 2005 5:24 pm

Does anyone know the answer to this one???

I'm configuring a firewall that's got an eth0 link to the internet & an eth1 link to an internal subnet (172.16.2.0).

I've put in this rule to stop all ssh access to a PC (192.16.2.120) on the subnet via the firewall:

iptables -A FORWARD -p tcp -s 0/0 -d 172.16.2.120 --dport 22 -j DROP

however, this rule is still allowing other PCs on the subnet to connect to the PC. I've also tried the following rules, even to the point of specify an individual source PC on the subnet & dropping all ssh traffic to the destination PC & changing the FORWARD policy to DROP:

iptables -A FORWARD -p tcp -s 172.16.2.0/24 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -s 172.16.2.220 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -d 172.16.2.120 --dport -j DROP
iptables -P FORWARD DROP


Yet i can still contact the destination PC from another PC on the subnet. I've read & read & read till I'm blue in the face & can't for the life in me figure out why this isn't working!!

Does anybody have any suggestions???

Cheers
Missy
 

RE: Rules incorporating subnet addresses

Postby Nigel » Sun May 22, 2005 10:24 pm

Um, I may be misreading this, but why would traffic from one machine on the subnet to another machine on the same subnet be going through your firewall at all ? You need to set up something on 172.16.2.120 itself to drop all incoming ssh connections.

AFAIK the firewall will only affect connections that use that machine as a router (ie it needs to come in on one of your ethernet cards and go out on the other), or stuff that comes in on either card destined for the firewall box itself.
Hope this helps,

Nigel.
User avatar
Nigel
LXF regular
 
Posts: 1141
Joined: Fri Apr 08, 2005 8:03 pm
Location: Gloucestershire, UK

RE: Rules incorporating subnet addresses

Postby Guest » Sun May 22, 2005 11:46 pm

Thanks Nigel

That makes sense!
Guest
 

RE: Rules incorporating subnet addresses

Postby Guest » Mon May 23, 2005 9:28 am

Hmmm. but what concerns me here is how does a PC with an IP address like 192.16.2.20 succeed at all in communicating on a subnet id of 172.16.2.0 ??? typo in subnet id ?


Once that aspect is sorted, the challenge is to figure out how to test it correctly......if you have access to a second PC, best to set up a slow old dial-up connection to the Internet so you can "pretend" to be someone on the "public" side of the FW.

CharlieS.
Guest
 

RE: Rules incorporating subnet addresses

Postby Nigel » Mon May 23, 2005 10:18 am

I'm guessing that the 192.16.2.20 was a typo as everything else in the post refers to 172.16.2.120...
Hope this helps,

Nigel.
User avatar
Nigel
LXF regular
 
Posts: 1141
Joined: Fri Apr 08, 2005 8:03 pm
Location: Gloucestershire, UK


Return to Help!

Who is online

Users browsing this forum: huwgreen and 2 guests