Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Iptables Problem, somehow subnets leeking togeather...
Robert83
post Nov 9 2004, 03:27 PM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I don't know how or why ? but actualy angry ip scanner can see machines from subnet 192.168.0.x and 192.168.2.x while I'm on 192.168.1.38 on random... , how can one completely block everything from reaching trough subnets ?

my nat server iptables :

#!/bin/sh
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
iptables -A FORWARD -i eth2 -o eth1 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.10.1:88
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.10.1:88
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.2 --dport 5900 -j DNAT --to 192.168.2.10:5900
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.10.2
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source 192.168.10.2
iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT --to-source 192.168.10.2

how come the subnets see each other partialy(some machines ....random) angry ip scanner displays a few..., why?
...

meanwhile...I think I discovered something, remember me when I asked about DHCP server trouble with multi subnet...well it's still buggy sometimes...I was thinking about using a firewall an all three dhcp servers and blocking mac addresses that don't belong there... would this help me prevent client windows computers to even sending a dhcp request to the dhcp server (which they are not supposed to?) thus even eliminating the "there are no free leases, or wrong subnet" response from the dhcp server.

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Nov 9 2004, 03:49 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

blocking via mac addresses I thougt about using something like this :

iptables -I INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

I will use this on each dhcp server,...in hope of that the packets that the clients send won't even reach the dhcp server...so it won't bother with the clients (so ...the CHAOS with the three DHCP servers will finaly end...and I can die happy smile.gif ..or atleast have some beer smile.gif ).

the second problem is...I've got 75 computers on the entire lan (in three subnets)...so um this firewall scripts is gonna be really long, anyone know how to do this the smart way ?

even if I only allow the mac addresses that are supposed to access the dhcp server, ...it's still going to be quiet a long list, so there must be a way to read all this from a file or something like that.

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Nov 9 2004, 04:00 PM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I just found this (and modified a bit)

CODE
#!/bin/sh

iptables -N MAC_RULE

for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
iptables -A MAC_RULE -j DROP

iptables -A INPUT -p tcp -j MAC_RULE <-- please explain what this is ? (why needed , above MAC_RULE -j ACCEPT already specified, and MAC_RULE drop as well...)


would this work ?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Nov 10 2004, 12:28 PM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



hi,

...meanwhile I've found out that iptables cannot block dhcp since it uses raw...

but discovered something else...

by combining authoritative into a group { host ... host n } and putting deny unknown-clients to the globel fixes the problem.

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Nov 11 2004, 05:26 AM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



You are very active smile.gif

Just a question ... why don't you locate the DHCP server on the Proxy server (the one that has all the subnets each on a seperate NIC) and issue all the DHCP requests from one server?

Not that you need to change anything if it is working correctly...


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 18th December 2017 - 02:08 AM