 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
#1
08-09-2007, 09:14 AM
|
Visible private IP
Hi guys,
I have the following problem : I have a computer running linux with 3 network links and 3 IP addresses: IPA on network A with private IP adresses IPB on network B IPInternet on Internet Linux is masquerading network A and routing network B. All is correct. But I can ping IPA from network B. And IPA is responding. Is this a known bug ? Is ther some "ip rule" or "ip route" tricks to prevent this ? I want to install private services on IPA, but I can connect to IPA. Tanks, VspaceG 
|
|
#2
08-09-2007, 11:09 AM
|
|||
|
|||
|
Re: Visible private IP
Hello,
VspaceG a écrit : > > I have the following problem : I have a computer running linux with 3 > network links and 3 IP addresses: > > IPA on network A with private IP adresses > IPB on network B > IPInternet on Internet > > Linux is masquerading network A and routing network B. All is correct. > > But I can ping IPA from network B. And IPA is responding. Is this a > known bug ? No, it is a feature. By default a Linux box accepts traffic to any of its local address on any interface, even when the destination address does not match the input interface. And it can send traffic from any of its local address on any interface, even when the source address does not match the output interface. IIRC it is called "weak model". "Worse" : from network B you should be able to ping any host in network A. Remember that NAT itself does not provide a protection. > Is ther some "ip rule" or "ip route" tricks to prevent this ? I'm afraid no. Although it is possible to create source address-based rules with the "unreachable" or "prohibit" type, e.g. : ip rule add type unreachable to <network_a> from <network_b> this would work only for packets sent from network B to network A addresses other than IPA because the local routing table which contains the local addresses (IPA, IPB, IPInternet, 127.0.0.0/8) is looked up first before other routing rules are examined by the routing process. Besides, this would prevent communications from network A to network B from getting replies, which may be undesirable. One solution is to use ACLs in the server application itself or in (x)inetd, tcpd, or any other applicable wrapper. Another solution is to use iptables filtering rules with connection tracking to reject NEW connections from network B to network A and IPA. For example : iptables -A FORWARD -s <network_b> -d <network_a> -m state --state NEW \ -j REJECT iptables -A INPUT -s <network_b> -d <ipa> -m state --state NEW -j REJECT Feel free to add more checks such as the input interface.
|
 |
| Tags |
| private, visible |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
