* only allow packets match interface ip
@ 2013-08-22 9:32 d tbsky
2013-08-24 10:02 ` Pascal Hambourg
0 siblings, 1 reply; 2+ messages in thread
From: d tbsky @ 2013-08-22 9:32 UTC (permalink / raw)
To: netfilter
hi:
I have multiple wan port and multiple routing table in a box.
the wan port should be the final destination of outside word.
(eg: all the packets come from internet should have destination ip
address of my wan port, there are no further routing beyond the wan ip
address).
rp_filter seems not work correctly under multiple routing table
situation.so I need to set rp_filter to 0.
I want to know if there are simple setup method to secure the wan
port ? or I need to use iptables to drop the incoming packet not
matching the wan interface ip?
the problem is I have dynamic ppp interface, so matching the ip via
iptables is a little complicated. so I want to know if there are
smarter ways to do the job.
thanks a lot for suggestion!!
Regards,
tbskyd
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: only allow packets match interface ip
2013-08-22 9:32 only allow packets match interface ip d tbsky
@ 2013-08-24 10:02 ` Pascal Hambourg
0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2013-08-24 10:02 UTC (permalink / raw)
To: d tbsky; +Cc: netfilter
Hello,
d tbsky a écrit :
> I have multiple wan port and multiple routing table in a box.
> the wan port should be the final destination of outside word.
> (eg: all the packets come from internet should have destination ip
> address of my wan port, there are no further routing beyond the wan ip
> address).
>
> rp_filter seems not work correctly under multiple routing table
> situation.so I need to set rp_filter to 0.
Indeed, this is a known problem. However, if all the WAN interfaces are
connected to the internet I see no point in using rp_filter on them.
> I want to know if there are simple setup method to secure the wan
> port ?
What do you mean exactly by "secure the wan port" ?
> or I need to use iptables to drop the incoming packet not
> matching the wan interface ip?
You are talking about two different things. rp_filter checks the source
address in incoming packets, not the destination address. Besides,
receiving on an interface packets which are destined to the address of
another interface is rather unlikely.
> the problem is I have dynamic ppp interface, so matching the ip via
> iptables is a little complicated.
You can use scripts in /etc/ppp/ip-{up|down}.d to add|remove iptables
rules based on the local address and interface name passed by pppd when
a PPP link is established|terminated.
Simple example :
#!/bin/sh
# /etc/ppp/ip-up.d/addrules
# Environment variables :
# Variable Name Example
# PPP_IFACE Interface name ppp0
# PPP_TTY The tty ttyS1
# PPP_SPEED The link speed 38400
# PPP_LOCAL Local IP number 12.34.56.78
# PPP_REMOTE Peer IP number 12.34.56.99
# PPP_IPPARAM Optional "ipparam" value foo
iptables -I INPUT -i $PPP_IFACE ! -d $PPP_LOCAL -j DROP
#!/bin/sh
# /etc/ppp/ip-up.d/delrules
# Environment variables :
# Variable Name Example
# PPP_IFACE Interface name ppp0
# PPP_TTY The tty ttyS1
# PPP_SPEED The link speed 38400
# PPP_LOCAL Local IP number 12.34.56.78
# PPP_REMOTE Peer IP number 12.34.56.99
# PPP_IPPARAM Optional "ipparam" value foo
iptables -D INPUT -i $PPP_IFACE ! -d $PPP_LOCAL -j DROP
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-08-24 10:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-22 9:32 only allow packets match interface ip d tbsky
2013-08-24 10:02 ` Pascal Hambourg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.