-
August 18th, 2004, 01:41 PM
#1
blocking a range of ips with iptables
Ok, hopefully this will make sense. I have a Linux Box A plugged into a Cisco Router, A has 2 network cards, external and internal, and has iptables natting the local network. These machines are 192.168.1.x
Also plugged into the same router is another linux box B with a similar setup, 1 external IP and then natting for another internal network 192.168.2.x
I was experimenting with Dsniff and I found that people on the 2.x block were able to recover passwords on the 1.x block, so I setup a rule on each box like so:
on A
iptables -A INPUT -p all -s 192.168.2.0/24 -j REJECT
on B
iptables -A INPUT -p all -s 192.168.1.0/24 -j REJECT
people on the B network still seem to be able to sniff though...any ideas? I do not want them to see each other at all, they cannot ping or traceroute each other, but I want to stop all network access between the two.
Thanks in advance.
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
August 18th, 2004, 02:35 PM
#2
input chain applies to packets that are targeting linux box.
but since you are using those linux boxes as "routers",you should use "forward" chain.
on A
iptables -A FORWARD -s 192.168.2.0/24 -j REJECT
on B
iptables -A FORWARD -s 192.168.1.0/24 -j REJECT
but instead i think you would consider configure your linux firewall on the oposite way.
block everything and after allow only desired traffic.
i think it is a better design
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 18th, 2004, 02:43 PM
#3
I know I had it working before....I appreciate your help, I will give it a go.
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
August 18th, 2004, 03:02 PM
#4
Originally posted here by cacosapo
but instead i think you would consider configure your linux firewall on the oposite way.
block everything and after allow only desired traffic.
i think it is a better design
This is the approach that should always be used.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
August 18th, 2004, 03:08 PM
#5
Ya the script I have been using has been pretty tight so far, I found that it was blocking everything, but allowing access from 192.168.0.0/32, since it is assuming those are all going to be local machines you would let do anything apparently. thus wouldn;t 192.168.2.0/24 fall under that range?
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
August 18th, 2004, 03:22 PM
#6
No, a /32 always means one address. 192.168.1.0/7 would be the appropriate range (I think, I'm a bit rusty on my subnetting).
A quick ref. for subnetting: http://www.sinclair.org.au/keith/net...g/subnet1.html
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
August 18th, 2004, 03:24 PM
#7
192.168.0.0/32 <---- allowing just one host, since all bits (32 bits) are valid. But 192.168.0.0 is pretty odd, since is also a network address.
I have no idea what happens if you have a rule like this....
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 18th, 2004, 03:33 PM
#8
well i have had dsniff running for close to an hour, and its not picking up anything on the other block. Thanks for all the help guys!
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|