On Sep 8, Arjen de Korte wrote:

...

On Monday 08 September 2003 18:41, Holger Schletz wrote:

...

The setup works; both subnets have internet access. However, subnet A is still accessible from subnet B and vice versa. This is not what I want; instead I want the two subnets to be invisible to each other.

Since both networks are on the same physical network and therefor

Hi, a rule like iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d 172.16.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -d 192.168.0.0/16 -j DROP wouldn't work ? Mit freundlichen Grüßen / Best regards Bruno Leonhardt LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator Markus Gaugusch schrieb am 08.09.2003 19:37:33: traffic

...

doesn't need to pass your router to cross from one to the other, this may be impossible. Although it is impossible to prevent that physical traffic can be seen, it is still the fault of the router that clients can reach the other subnet (except if each client has its own routing table entry to reach the other subnet). I'm no firewall2 expert, but I wanted to clarify this.

Markus

-- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Thanks, that helped.

I tried this before, but only on the INPUT chain. Too busy to see the obvious :-]

However, adding a ruleset for the INPUT chain is still necessary to

of course you can protect your nets, I suggest following rules : iptables -A INPUT -i eth0 -s 192.168.0.0/16 -d $LOCAL-IP -j ACCEPT iptables -A INPUT -i eth0 -s 172.16.0.0/16 -d $LOCAL-IP -j ACCEPT guessing the default policy is drop for input ... cu bruno holger.schletz@web.de schrieb am 10.09.2003 11:03:37: protect

the interfaces on the router itself, as these are not handled by the FORWARD chain.

Bye, Holger

Am Dienstag, 9. September 2003 08:40 schrieb BLeonhardt@analytek.de:

...

Hi,

a rule like

iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d 172.16.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/16 -d 192.168.0.0/16 -j DROP

wouldn't work ?

Mit freundlichen Grüßen / Best regards Bruno Leonhardt

LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail und deren Anhänge. Das unerlaubte Kopieren, die unberechtigte Veröffentlichung sowie die unbefugte Weitergabe dieser E-Mail oder des Inhalts ist nicht gestattet. This e-mail is confidential and may also be legally privileged. If you are not the indended recipient or have received this messge in error, please notify the sender immediately and delete this message and any attachements. Any unauthorized copying, disclosure or circulation of the message or the contents of this message is strictly prohibited.

Hello, I don't know exactly but could/should following parameter play a role?!: # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", if not set defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"

-----Original Message----- From: Guido Tschakert [mailto:guido.tschakert@src-gmbh.de] Sent: Tuesday, September 09, 2003 8:58 AM To: Holger Schletz; suse-security@suse.com Subject: Re: [suse-security] Unwanted routing between subnets

Holger Schletz wrote:

...

Hi,

I'm running a router on SuSE 8.2 which connects 2 local subnets to the internet. The subnets run over the same NIC with virtual interfaces:

eth0, subnet 192.168.0.0/255.255.0.0 (call it subnet A) eth0:1, subnet 172.16.0.0/255.255.0.0 (call it subnet B)

(Yes, this is a mess, but fixing up this naturally grown network topology might induce even more trouble.)

eth1 connects to the internet.

Hello this box works at internetgateway, so routing is activated. Since both subnets (192.168.. and 172.16..) are connected directly to the box, the router "knows" how to route between these subnets and does it ;-) (Have a look at route -n) I think the best (and easiest) way is to use the iptables-Rules as Bruno Leonhardt has written!

-- mit freundlichen Grüßen,

Guido Tschakert

___________________________________________________________________ SRC Security Research & Consulting GmbH Graurheindorfer Str. 149a Tel: +49-228-2806-138 53117 Bonn Mobil:+49-160-3671422 http://www.src-gmbh.de Fax: +49-228-2806-199

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here