Re: ipmasq rule question

Mikkel L. Ellertson Thu, 22 Mar 2001 11:07:02 -0800
On Thu, 22 Mar 2001, Michael George wrote:

> I'm reading the IP Masq HOWTO, and I have a question...
>
> In the HOWTO there's a script starting at about line 3100.  That is a stronger
> ruleset for a Masq machine.  I think I have all the ipchains rules figureed
> out, but I'm wondering what happens with a local-local packet.
>
> If the firewall/gateway machine is the default gateway, isn't it possible that
> machines from the private network will send packets to the gateway that are
> destined back to the local network?  If that happens, it seems we'd have:
>
>       in IF   out IF          Source          Dest
>       eth0    eth0            192.168.xx      192.168.x.x
>
> This will be accepted by the input rules, but it will be flushed by the
> forward rules.
>
> What am I missing here?  Is it not possible for local --> local traffic to go
> through the GW under normal configurations (given "order hosts,bind" in
> /etc/host.conf)?  Am I misreading a rule?
>
> I've read IPCHAINS-HOWTO, IP-Masquerade-HOWTO, and Firewall-HOWTO...
>
> Thanks!
>
> -Michael
>
Unless the gateway/firewall has more then two interfaces, this does not
arise if you system is set up correctly.  This is because the route in
not through the gateway/firewall.  Packets from 192.168.x.x to
192.168.y.y should not pass through the gateway/firewall at all, because
the 192.168.y.y is ehter on the same physical subnet, or it has a
different gateway.  You should never get trafic comming in on an
interface, and being re-transmitted out the same interface.  (There are
some special cases where it does happen, but that involves masquerading
packets between subnets on the same physical subnet.)

If you have more then two interfaces on the firewall/gateway, you have
to provide routing rules to get local trafic between the interfaces.
It also adds to the total complexity of the firewall rules.  You can
add control for things blocking outgoing trafic to port 80 for one of
the interfaces, limmitning they types of trafice that will pass from one
subnet to the other, etc...

Mikkel
 --

    Do not meddle in the affairs of dragons,
 for you are crunchy and taste good with ketchup.



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: ipmasq rule question

Reply via email to
