[lug] iptables

[D. Stimits]

j davis wrote:
> 
> so your telling me that iptables would never dnat any traffic to my firewall
> from the internet to the private ip associated with the firewall unless i
> wrote
> a rule in prerouting. And my dameons will take request from either because
> they are not bound to a specfic ip?

NAT can route an IP from any IP to any other IP if it thinks it is
supposed to. But the 10.x.x.x IP addresses are not routable on the
Internet, there is a big difference, especially if someone is trying to
crack your system. Because 10.x.x.x is not routeable on the Internet,
you are guaranteed that anything wanting to connect directly to a
10.x.x.x address, and not indirectly via NAT, is via spoofing and is
malicious. Just because the Internet won't route it, doesn't mean
someone can't spoof it. So any packet arriving from the Internet,
directly asking for a 10.x.x.x IP, should be rejected. If the packet
originates internally, then don't reject it. Your IP that is visible to
the outside world is a non-10.x.x.x IP. So take the ethernet with a
non-10.x.x.x IP, and reject port 23, this is the one a valid non-spoofed
packet will go to initially. Now if for some reason you have a NAT rule,
then a *valid* packet that arrives from the outside will say it is bound
for a port of the visible public address, it won't know anything about
the 10.x.x.x address, this is where the kernel knows and redirects
it...thus the redirect in that case is arriving initially on the
non-10.x.x.x, and the 10.x.x.x ethernet never sees it until the kernel
itself does its thing. Was the helpful or confusing?

The short answer is that the outside world packets will *never* hit the
10.x.x.x ethernet unless the kernel does something or if the packets are
spoofed.

D. Stimits, stimits at idcomm.com

> 
> Please Help,
> jd
> 
> >From: "D. Stimits" <stimits at idcomm.com>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: Re: [lug] iptables
> >Date: Tue, 21 May 2002 21:18:31 -0600
...
> >j davis wrote:
> > >
> > > Hi,
> > > so if a request is made to the public interface of my firewall is
> > > the request processed as the public IP or the private IP for the
> >firewall.
> > >
> > > example :
> > >
> > > I want to block telnet access to my firewall from the internet. I write
> > > rules
> > > in the INPUT chain to do this.Would i write the rule blocking telnet
> >using
> > > the public or private interface
> > >
> > > /sbin/iptables -A INPUT -i eth0 -d 10.0.0.1 -p tcp --dport 23 -j DROP
> > >
> > >                       or
> > >
> > > /sbin/iptables -A INPUT -i eth0 -d $MY_PUB_IP -p tcp --dport 23 -j DROP
> > >
> > > Thanks
> > > jd
> >
> >What is the routeable IP visible to the world? That is the IP you block.
> >Anything arriving from the outside that is pointed at a non-routable
> >10.x.x.x IP should be considered hostile and summarily banned; if
> >something on the inside is supposed to receive the packet via
> >masquerade, then it will not know about the non-routeable IP, it will be
> >up to the kernel to put it to the right IP/port.