Thanks... :-) -----Original Message----- From: Scott Zuk [mailto:[EMAIL PROTECTED] Sent: Saturday, October 11, 2003 2:37 PM To: [EMAIL PROTECTED] Subject: Re: (clug-talk) IPTables
On October 11, 2003 12:27 am, Brian Horncastle wrote: > > Bringing down and up all your aliases doesn't really belong in this > > script > and I'm not sure it will actually do anything if they're all static > address > anyway. Shouldn't do any harm though. > > --- This is only for testing and implementation purposes. The version > of my script that I posted doesn't exactly reflect the script that I > have at this moment. Some of the sub-interfaces I have shutdown through > this script in order to avoid IP conflicts with the servers running from > the old network. Once I have moved all of the servers onto the new DMZ > network behind the Linux box this section of the script will be removed. No problem, just looked a little odd that's all. > > Why are you running "/etc/init.d/iptables stop" and > > "/etc/init.d/iptables > start" when you just flush the rules a few lines later (probing for > modules > maybe)? This also shouldn't do any harm but is inefficient and you > could end up restoring some stale rules if they contained some user > defined chains. > > --- Point taken. > > - In almost every rule block for each IP you have a couple of rules for > dns > like the following: > > iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 > -j > DNAT --to 192.168.1.209 > iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 > -i > -j DNAT --to 192.168.1.209 > > These rules are NOT unique and each subsequent rule further down the > script > will overwrite the previous one with the new --to IP. To make these > rules > unique you need to add an argument for the destination IP (-d > 60.30.135.xxx) > to each rule. I suspect this is the major reason your script isn't > working > as expected but haven't looked too closely to see if there are others. > It > might be best to comment out all the rules for each host except one or > two > until you get things working right for those hosts first. Good luck! > > --- Ooops... Thanks for catching that. I actually was doing it by > interface originally, but ran into a brick wall as Iptables doesn't > appear to like the "eth0:1" type syntax. Does Iptables support > sub-interfaces at all? Or am I just using the wrong syntax? > Alternatively yeah, I could do destination IP as you suggest. Is there > any benefit of one way over the other? I was originally thinking > interface would be the best way to go in order to avoid IP spoofing. Or > am I completely out to lunch? For now I will try the destination IP as > you suggest. Unfortuneately, iptables can't use subinterfaces/aliases with the -i or -o arguments, it only allows you to use actual hardware devices (eth0, eth1, etc). I've discovered that limitation myself in the past too. The big advantage with using interface vs. IP matching is when the IP address can change at any time, like with DHCP. If you match by interface, DHCP might change your IP when the lease expires but the iptables rules would still be valid and you'd have nothing to worry about. However if you match by IP, DHCP could change your IP and the iptables rules would become invalid, you'd have to detect the IP change and rerun the iptables script using the new IP address. Hopefully you have static IP addresses for your 13 subinterfaces and can explicitly use them in your script because it's more straight forward. If the IPs can change, you'll have figure out a way to trigger a rerun of the iptables script, and your script will have to do some sed/grep magic to extract the new IPs and save them to variables etc. I've seen some examples that can do this but don't have any links off hand. If each one of your servers was running different services on different ports (one for ftp/21, one for ssh/22, etc) you could easily determine which machine to DNAT to by just looking at the port number like you were, but since you are running services on port 53 of each one of your servers you need to look at the dest IP to make each rule unambiguous. Also, I wouldn't worry too much about handling spoofed IP addresses with iptables. IP spoof protection can usually be enabled in the kernel by setting /proc/sys/net/ipv4/conf/*/rp_filter to 1 (i.e. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter). Some distros enable this in one of the init scripts before networking is completely up or have a setting somewhere in /etc to turn it on so take a look for that. If you still want to be sure though you can add something like the following to drop obviously fake source IPs arriving on the internet facing interface: iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP I wouldn't expect those rules to ever get matched though unless your ISP was playing tricks on you because routers on the internet should drop packets with unroutable source addresses. Regards, ~Scott
