Unwanted routing between subnets
Hi, I'm running a router on SuSE 8.2 which connects 2 local subnets to the internet. The subnets run over the same NIC with virtual interfaces: eth0, subnet 192.168.0.0/255.255.0.0 (call it subnet A) eth0:1, subnet 172.16.0.0/255.255.0.0 (call it subnet B) (Yes, this is a mess, but fixing up this naturally grown network topology might induce even more trouble.) eth1 connects to the internet. The setup works; both subnets have internet access. However, subnet A is still accessible from subnet B and vice versa. This is not what I want; instead I want the two subnets to be invisible to each other. There is no route from A to B or from B to A specified in the /etc/sysconfig/network directory (is there another place to look at?). Maybe this problem comes from the virtual interface stuff? I tried to set up routing rules with the "unreachable", "prohibit" or "blackhole" option, but I did't find useful documentation on usage of these options and it did not work as expected. I also tried some custom rules for SuSEfirewall2, but no success either. So what routing options and/or iptables rules do I have to use? Thanks, Holger
On Monday 08 September 2003 18:41, Holger Schletz wrote:
The setup works; both subnets have internet access. However, subnet A is still accessible from subnet B and vice versa. This is not what I want; instead I want the two subnets to be invisible to each other.
Since both networks are on the same physical network and therefor traffic doesn't need to pass your router to cross from one to the other, this may be impossible. Depending on what you're trying to achieve, encrypting all traffic (ie, a VPN) between clients and your router may solve your problem. People determined to connect from one network to the other directly will not be stopped, but it will prevent them from eavesdropping on connections between clients and your router. Best regards, Arjen
On Sep 8, Arjen de Korte
On Monday 08 September 2003 18:41, Holger Schletz wrote:
The setup works; both subnets have internet access. However, subnet A is still accessible from subnet B and vice versa. This is not what I want; instead I want the two subnets to be invisible to each other.
Since both networks are on the same physical network and therefor traffic doesn't need to pass your router to cross from one to the other, this may be impossible. Although it is impossible to prevent that physical traffic can be seen, it is still the fault of the router that clients can reach the other subnet (except if each client has its own routing table entry to reach the other subnet). I'm no firewall2 expert, but I wanted to clarify this.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
On Sep 8, Arjen de Korte
wrote: On Monday 08 September 2003 18:41, Holger Schletz wrote:
The setup works; both subnets have internet access. However, subnet A is still accessible from subnet B and vice versa. This is not what I want; instead I want the two subnets to be invisible to each other.
Since both networks are on the same physical network and therefor
Hi,
a rule like
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d 172.16.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -d 192.168.0.0/16 -j DROP
wouldn't work ?
Mit freundlichen Grüßen / Best regards
Bruno Leonhardt
LPI Level 1 Certified
Watchguard Certified System Professional
CLP Domino R5 Systemadministrator
Markus Gaugusch
doesn't need to pass your router to cross from one to the other, this may be impossible. Although it is impossible to prevent that physical traffic can be seen, it is still the fault of the router that clients can reach the other subnet (except if each client has its own routing table entry to reach the other subnet). I'm no firewall2 expert, but I wanted to clarify this.
Markus
-- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Thanks, that helped. I tried this before, but only on the INPUT chain. Too busy to see the obvious :-] However, adding a ruleset for the INPUT chain is still necessary to protect the interfaces on the router itself, as these are not handled by the FORWARD chain. Bye, Holger Am Dienstag, 9. September 2003 08:40 schrieb BLeonhardt@analytek.de:
Hi,
a rule like
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d 172.16.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -d 192.168.0.0/16 -j DROP
wouldn't work ?
Mit freundlichen Grüßen / Best regards Bruno Leonhardt
LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator
Thanks, that helped.
I tried this before, but only on the INPUT chain. Too busy to see the obvious :-]
However, adding a ruleset for the INPUT chain is still necessary to
of course you can protect your nets, I suggest following rules : iptables -A INPUT -i eth0 -s 192.168.0.0/16 -d $LOCAL-IP -j ACCEPT iptables -A INPUT -i eth0 -s 172.16.0.0/16 -d $LOCAL-IP -j ACCEPT guessing the default policy is drop for input ... cu bruno holger.schletz@web.de schrieb am 10.09.2003 11:03:37: protect
the interfaces on the router itself, as these are not handled by the FORWARD chain.
Bye, Holger
Am Dienstag, 9. September 2003 08:40 schrieb BLeonhardt@analytek.de:
Hi,
a rule like
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d 172.16.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -d 192.168.0.0/16 -j DROP
wouldn't work ?
Mit freundlichen Grüßen / Best regards Bruno Leonhardt
LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail und deren Anhänge. Das unerlaubte Kopieren, die unberechtigte Veröffentlichung sowie die unbefugte Weitergabe dieser E-Mail oder des Inhalts ist nicht gestattet. This e-mail is confidential and may also be legally privileged. If you are not the indended recipient or have received this messge in error, please notify the sender immediately and delete this message and any attachements. Any unauthorized copying, disclosure or circulation of the message or the contents of this message is strictly prohibited.
Holger Schletz wrote:
Hi,
I'm running a router on SuSE 8.2 which connects 2 local subnets to the internet. The subnets run over the same NIC with virtual interfaces:
eth0, subnet 192.168.0.0/255.255.0.0 (call it subnet A) eth0:1, subnet 172.16.0.0/255.255.0.0 (call it subnet B)
(Yes, this is a mess, but fixing up this naturally grown network topology might induce even more trouble.)
eth1 connects to the internet.
Hello this box works at internetgateway, so routing is activated. Since both subnets (192.168.. and 172.16..) are connected directly to the box, the router "knows" how to route between these subnets and does it ;-) (Have a look at route -n) I think the best (and easiest) way is to use the iptables-Rules as Bruno Leonhardt has written! -- mit freundlichen Grüßen, Guido Tschakert ___________________________________________________________________ SRC Security Research & Consulting GmbH Graurheindorfer Str. 149a Tel: +49-228-2806-138 53117 Bonn Mobil:+49-160-3671422 http://www.src-gmbh.de Fax: +49-228-2806-199
Hello, I don't know exactly but could/should following parameter play a role?!: # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", if not set defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
-----Original Message----- From: Guido Tschakert [mailto:guido.tschakert@src-gmbh.de] Sent: Tuesday, September 09, 2003 8:58 AM To: Holger Schletz; suse-security@suse.com Subject: Re: [suse-security] Unwanted routing between subnets
Holger Schletz wrote:
Hi,
I'm running a router on SuSE 8.2 which connects 2 local subnets to the internet. The subnets run over the same NIC with virtual interfaces:
eth0, subnet 192.168.0.0/255.255.0.0 (call it subnet A) eth0:1, subnet 172.16.0.0/255.255.0.0 (call it subnet B)
(Yes, this is a mess, but fixing up this naturally grown network topology might induce even more trouble.)
eth1 connects to the internet.
Hello this box works at internetgateway, so routing is activated. Since both subnets (192.168.. and 172.16..) are connected directly to the box, the router "knows" how to route between these subnets and does it ;-) (Have a look at route -n) I think the best (and easiest) way is to use the iptables-Rules as Bruno Leonhardt has written!
-- mit freundlichen Grüßen,
Guido Tschakert
___________________________________________________________________ SRC Security Research & Consulting GmbH Graurheindorfer Str. 149a Tel: +49-228-2806-138 53117 Bonn Mobil:+49-160-3671422 http://www.src-gmbh.de Fax: +49-228-2806-199
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi, I recognized this option, too. It is set to "no" (the default), but does not have the desired effect. Bye, Holger Am Dienstag, 9. September 2003 17:05 schrieb Mario Neubert:
Hello,
I don't know exactly but could/should following parameter play a role?!:
# 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", if not set defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
participants (6)
-
Arjen de Korte
-
BLeonhardt@analytek.de
-
Guido Tschakert
-
Holger Schletz
-
Mario Neubert
-
Markus Gaugusch