| View previous topic :: View next topic |
| Author |
Message |
Missy
Guest
|
 Posted: Sun May 22, 2005 6:24 pm Post subject: Rules incorporating subnet addresses |
 |
|
Does anyone know the answer to this one???
I'm configuring a firewall that's got an eth0 link to the internet & an eth1 link to an internal subnet (172.16.2.0).
I've put in this rule to stop all ssh access to a PC (192.16.2.120) on the subnet via the firewall:
iptables -A FORWARD -p tcp -s 0/0 -d 172.16.2.120 --dport 22 -j DROP
however, this rule is still allowing other PCs on the subnet to connect to the PC. I've also tried the following rules, even to the point of specify an individual source PC on the subnet & dropping all ssh traffic to the destination PC & changing the FORWARD policy to DROP:
iptables -A FORWARD -p tcp -s 172.16.2.0/24 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -s 172.16.2.220 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -d 172.16.2.120 --dport -j DROP
iptables -P FORWARD DROP
Yet i can still contact the destination PC from another PC on the subnet. I've read & read & read till I'm blue in the face & can't for the life in me figure out why this isn't working!!
Does anybody have any suggestions???
Cheers |
|
| Back to top |
|
 |
Nigel
LXF regular
Joined: Fri Apr 08, 2005 9:03 pm
Posts: 1141
Location: Gloucestershire, UK
|
| Posted: Sun May 22, 2005 11:24 pm Post subject: RE: Rules incorporating subnet addresses |
|
|
Um, I may be misreading this, but why would traffic from one machine on the subnet to another machine on the same subnet be going through your firewall at all ? You need to set up something on 172.16.2.120 itself to drop all incoming ssh connections.
AFAIK the firewall will only affect connections that use that machine as a router (ie it needs to come in on one of your ethernet cards and go out on the other), or stuff that comes in on either card destined for the firewall box itself.
_________________
Hope this helps,
Nigel. |
|
| Back to top |
|
|
Guest
|
| Posted: Mon May 23, 2005 12:46 am Post subject: RE: Rules incorporating subnet addresses |
|
|
Thanks Nigel
That makes sense! |
|
| Back to top |
|
|
Guest
|
| Posted: Mon May 23, 2005 10:28 am Post subject: RE: Rules incorporating subnet addresses |
|
|
Hmmm. but what concerns me here is how does a PC with an IP address like 192.16.2.20 succeed at all in communicating on a subnet id of 172.16.2.0 ??? typo in subnet id ?
Once that aspect is sorted, the challenge is to figure out how to test it correctly......if you have access to a second PC, best to set up a slow old dial-up connection to the Internet so you can "pretend" to be someone on the "public" side of the FW.
CharlieS. |
|
| Back to top |
|
|
Nigel
LXF regular
Joined: Fri Apr 08, 2005 9:03 pm
Posts: 1141
Location: Gloucestershire, UK
|
| Posted: Mon May 23, 2005 11:18 am Post subject: RE: Rules incorporating subnet addresses |
|
|
I'm guessing that the 192.16.2.20 was a typo as everything else in the post refers to 172.16.2.120...
_________________
Hope this helps,
Nigel. |
|
| Back to top |
|
|
| View previous topic :: View next topic |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
