Hello everyone,
i've a problem with a dual homed host and the configuration of spoof protection.
The host is a Linux box with two interfaces:
OS-Version : Red Hat Linux release 9 (Shrike)
Kernel-Release : 2.4.20-24.9smp
CPU : 0 - 1 Intel(R) Pentium(R) 4 CPU 2.80GHz
CPU : 1 - 2 Intel(R) Pentium(R) 4 CPU 2.80GHz
Interface : eth0 X.X.4.43 X.X.4.255 (public class B net)
Interface : eth1 X.X.1.43 X.X.1.255 (public class B net)
/---------------------------------------------\
/ internet \
| |
\ /
----------------------------------------------
| |
router 1 router 2
| |
| ---------- |
subnet X.X.1.x -- eth1-| server |-eth0 -- subnet X.X.4.x
----------
Extraction from the script:
...
IF_0=eth0
IF_1=eth1
...
HOST="`/bin/hostname`"
...
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
...
# spoof protection
${IPTABLES} -A INPUT -s $HOST -i $IF_0 -j DROP
${IPTABLES} -A INPUT -s $HOST -i $IF_1 -j DROP
...
Observed problems:
* Enabling "rp_filter" causes some of my ssh-connection to freese (no response,
my computer is part of the internet); pinging both interfaces from a maschine
in the internet fails, one of them is not reachable; pinging them from a host
within the subnet is possible
* Enabling the input-firewall-rules has the effect of a delay of a few
minutes(!) when starting the script.
The aim of the "firewall"-script is to protect the host against undesired
connections. I need an advice.
thanx
R.
__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register
Netscape. Just the Net You Need.
New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
