Help - Search - Members - Calendar
Full Version: Iptables Problem
Linuxhelp > Support > Technical Support
Robert83
Hi,

I don't know how or why ? but actualy angry ip scanner can see machines from subnet 192.168.0.x and 192.168.2.x while I'm on 192.168.1.38 on random... , how can one completely block everything from reaching trough subnets ?

my nat server iptables :

#!/bin/sh
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
iptables -A FORWARD -i eth2 -o eth1 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.10.1:88
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.10.1:88
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.2 --dport 5900 -j DNAT --to 192.168.2.10:5900
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.10.2
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source 192.168.10.2
iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT --to-source 192.168.10.2

how come the subnets see each other partialy(some machines ....random) angry ip scanner displays a few..., why?
...

meanwhile...I think I discovered something, remember me when I asked about DHCP server trouble with multi subnet...well it's still buggy sometimes...I was thinking about using a firewall an all three dhcp servers and blocking mac addresses that don't belong there... would this help me prevent client windows computers to even sending a dhcp request to the dhcp server (which they are not supposed to?) thus even eliminating the "there are no free leases, or wrong subnet" response from the dhcp server.

Sincerely
Robert B
Robert83
Hi,

blocking via mac addresses I thougt about using something like this :

iptables -I INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

I will use this on each dhcp server,...in hope of that the packets that the clients send won't even reach the dhcp server...so it won't bother with the clients (so ...the CHAOS with the three DHCP servers will finaly end...and I can die happy smile.gif ..or atleast have some beer smile.gif ).

the second problem is...I've got 75 computers on the entire lan (in three subnets)...so um this firewall scripts is gonna be really long, anyone know how to do this the smart way ?

even if I only allow the mac addresses that are supposed to access the dhcp server, ...it's still going to be quiet a long list, so there must be a way to read all this from a file or something like that.

Sincerely
Robert B
Robert83
Hi,

I just found this (and modified a bit)

CODE
#!/bin/sh

iptables -N MAC_RULE

for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
iptables -A MAC_RULE -j DROP

iptables -A INPUT -p tcp -j MAC_RULE <-- please explain what this is ? (why needed , above MAC_RULE -j ACCEPT already specified, and MAC_RULE drop as well...)


would this work ?

Sincerely
Robert B
Robert83
hi,

...meanwhile I've found out that iptables cannot block dhcp since it uses raw...

but discovered something else...

by combining authoritative into a group { host ... host n } and putting deny unknown-clients to the globel fixes the problem.

Sincerely
Robert B
hughesjr
You are very active smile.gif

Just a question ... why don't you locate the DHCP server on the Proxy server (the one that has all the subnets each on a seperate NIC) and issue all the DHCP requests from one server?

Not that you need to change anything if it is working correctly...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.