I've been rather annoyed by the RFC1918 packets showing up on the public (kind of, it's complicated) side of my NAT router. I found some good summaries of the problem and its cause:
http://ubuntuforums.org/archive/index.php/t-1689959.html http://bugzilla.netfilter.org/show_bug.cgi?id=693 http://www.smythies.com/~doug/network/iptables_notes/index.html The best fix seems to be adding one of these lines to the FORWARD table, depending on your preferred approach: -A FORWARD -i $INTIF -p tcp -m state --state INVALID -j DROP -A FORWARD -i $INTIF -p tcp ! --syn -m state --state NEW -j DROP I know shorewall produces an Invalid table, which is called from the Drop & Reject tables, but those are only called after a packet has failed to match most of the rules (but just before the final DROP rule, at least in the table I'm looking at right now, probably per /etc/shorewall/policy file). Can a rule be inserted in one of the ALL/ESTABLISHED/RELATED/NEW sections of /etc/shorewall/rules in such a way that it will only apply to INVALID packets? I don't think so, unless there's some convoluted logic that can apply it to INVALID but not the other states that fit in the NEW section. If not, what is the best way to get a rule with a similar effect in my tables? I see no way to put a state match directly in a rule entry in /etc/shorewall/rules, either. For reference, I'm still using 4.4.23.3 both on the machine I use for man pages, and on the router. I think the router may have still been 4.4.17 last time I did a shorewall restart. -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://www.prml.org/ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
