Hello all, Please excuse my long description, but it is a complex scenario. Also I know little about iptables and got things working with config fragments I found on the net.
I have a VLANed network to which I would like to connect a commercial vulnerability scanner. The scanner is an appliance from a vendor which is not very configurable. Therefore I have put a debian lenny firewall in front of the scanner. The firewall has these interfaces:- admin0, which is a normal interface with openssh listening. also the scanner vendor is reachable via this interface. scanner0, which has udhcpd and bind listening on it, this is connected to the vulnerability scanner with a crossover cable and the bind and dhcp configure it so that it routes via the lenny firewall and can find the vendors IP addresses. trunk0, which is a vlanned interface to an ethernet switch. trunk1, which is a vlanned interface to another ethernet switch. I am using iptables to snat the scanner traffic onto IP addresses that the lenny firewall owns inside each vlan. This is all working beautifully and I can successfully scan hosts in each vlan for security vulnerabilities. The problem is that I think that I have broken the security model that uses VLANs to segregate the hosts that I'm scanning. I beleive that any host in any vlan could also send traffic to another vlan if it routes it via the IP address of the lenny firewall that it has locally in its own VLAN, and that my firewall will SNAT that hosts traffic onto it's own IP address in the other VLAN. This is not what I wanted. What I want is for only the scanner on interface scanner0 to be snatted and nothing else. Note that the lenny firewall is only supposed to be used for scanning because there is another firewall on each vlan for carrying normal packets. My nat.sh startup script looks like this:- /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr iptables -t nat -A POSTROUTING -o admin0 -j SNAT --to 10.0.1.5 iptables -t nat -A POSTROUTING -o trunk0.1 -j SNAT --to 10.0.2.254 iptables -t nat -A POSTROUTING -o trunk0.2 -j SNAT --to 10.0.3.254 iptables -t nat -A POSTROUTING -o trunk0.3 -j SNAT --to 10.0.4.254 iptables -t nat -A POSTROUTING -o trunk1.1 -j SNAT --to 10.0.5.254 iptables -t nat -A POSTROUTING -o trunk1.2 -j SNAT --to 10.0.6.254 iptables -t nat -A POSTROUTING -o trunk1.3 -j SNAT --to 10.0.7.254 How can I change this so that only packets from interface scanner0 can get SNATed and nothing else ? thanks, Philip -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
