Some could spoof your invalid ip (rewrite their packets to have a source address of 192.168.xxx.xxx and gain access or you could allow access using port forwarding to prevent spoofing - use the following rules in your firewall script ----------------------------------------------- for pfile in /proc/sys/net/ipv4/conf/*/rp_filter do echo "1" > $pfile done ----------------------------------------------- to allow port forwarding you need support in the kernel and then rules like the following ----------------------------------------------- # Load Port Forwarding Module /sbin/modprobe ip_masq_portfw # # Setup Port Forwarding Rules ipmasqadm portfw -f # Flush any existing rules # # Forward remote calls to port 81 to local port 80 ipmasqadm portfw -a -P tcp -L 1.2.3.4 80 -R 192.168.xxx.xxx 80 ------------------------------------------------ This will redirect port 80 requests to your firewall/router to port 80 on a local machine. You can do this with multiple ports and multiple machines and it works quite well. On Fri, 09 Jun 2000, Thomas Michael Wanka wrote: > On 9 Jun 2000, at 11:28, Julien Calvet wrote:
yes you can ... You must use IP-route2 package to make NAT.
Hi,
to me it sounded like Julien wanted to know if *sombody* (not allowed to) can connect to the private lan through his router. And that AFAIK is not possible without getting access to the router.
This leads me to a question I wanted to post for quiet a while:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet. So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan. If that happened, all he has to access my lan with, are the programms installed on the router. Is that right?
thanks
mike
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Chad Whitten cwhitten@intop.net http://whitten.dhs.org