LAN full of public/routed ipv4 addresses - How to filter it?
The answer to my question maybe is not that hard but anyways, I do not know what to do.
So, I just got in a new job in a Univerisity and I found out that the network (the LAN) is full of public IP addresses. Seriously, the whole LAN (probably more than 150 hosts) has it's own internet IP address and I don't know how to manage it. I have a very good experience using iptables (Linux firewall) in a NAT'ed environment. But then how should I proceed in an environment where all my LAN is working with a bunch of public IP addresses? Should I just use the "forward" rules and ignore the NAT rules or is there any other issue in such environment which I should take care? Can I add a firewall between the router and the LAN in order to produce packet filtering for these public IP addresses in my LAN or will this just not work? Thanks! |
As you say, you filter traffic using the FORWARD chain.
NAT is not a security feature, so you should be using the FORWARD chain to filter traffic in NAT scenarios as well. |
I'd suspect some hole in the security. In a normal lan one doesn't use public ip's even though there is nothing wrong with it. So this would make us think that the router does allow web access or access to routable ip addresses.
There should have been a high quality firewall on the lan 10 years or more ago. What were they thinking? What is this a grade school project? |
Quote:
I don't really know what they were thinking. Like I said, Friday was my first day in this new job, so this week I will investigate these issues. I will try to contact the administrators from the University Headquarters to find out exactly why they built a LAN full of routed IPs. |
Then we need a much greater understanding of the use and scope of the lan's use and maybe misuse.
|
Quote:
|
Can't say without more detail.
It is not uncommon for a holder of a range of IP address to use them as they wish. We still have a class A subnet and ran out of numbers in the 90's. We used nat for security as well and to free up numbers that had to be on the public side. |
The iptables Wiki has a really great diagram of how traffic flows
http://upload.wikimedia.org/wikipedi...acket-flow.svg It would be preferable to add drop rules on the INPUT, you'll end up using up more resources by adding forwarding tables to everything. Other than that you can just use a linux box as a router its just as happy to do Layer3 routing without mucking with iptables. |
All times are GMT -5. The time now is 05:04 AM. |