LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   LAN full of public/routed ipv4 addresses - How to filter it? (http://www.linuxquestions.org/questions/linux-networking-3/lan-full-of-public-routed-ipv4-addresses-how-to-filter-it-948179/)

sparc86 06-02-2012 03:17 PM

LAN full of public/routed ipv4 addresses - How to filter it?
 
The answer to my question maybe is not that hard but anyways, I do not know what to do.

So, I just got in a new job in a Univerisity and I found out that the network (the LAN) is full of public IP addresses. Seriously, the whole LAN (probably more than 150 hosts) has it's own internet IP address and I don't know how to manage it.

I have a very good experience using iptables (Linux firewall) in a NAT'ed environment. But then how should I proceed in an environment where all my LAN is working with a bunch of public IP addresses? Should I just use the "forward" rules and ignore the NAT rules or is there any other issue in such environment which I should take care?

Can I add a firewall between the router and the LAN in order to produce packet filtering for these public IP addresses in my LAN or will this just not work?

Thanks!

Ser Olmy 06-02-2012 04:21 PM

As you say, you filter traffic using the FORWARD chain.

NAT is not a security feature, so you should be using the FORWARD chain to filter traffic in NAT scenarios as well.

jefro 06-03-2012 02:00 PM

I'd suspect some hole in the security. In a normal lan one doesn't use public ip's even though there is nothing wrong with it. So this would make us think that the router does allow web access or access to routable ip addresses.

There should have been a high quality firewall on the lan 10 years or more ago. What were they thinking? What is this a grade school project?

sparc86 06-03-2012 05:51 PM

Quote:

Originally Posted by jefro (Post 4694556)
I'd suspect some hole in the security. In a normal lan one doesn't use public ip's even though there is nothing wrong with it. So this would make us think that the router does allow web access or access to routable ip addresses.

There should have been a high quality firewall on the lan 10 years or more ago. What were they thinking? What is this a grade school project?

Jefro, it's a new branch from a State University (and they are interconnected through a WAN). I agree with you, it's bizarre an entire LAN filled with routed IPs (unless if it was ipv6, but then it's a whole different animal).

I don't really know what they were thinking. Like I said, Friday was my first day in this new job, so this week I will investigate these issues. I will try to contact the administrators from the University Headquarters to find out exactly why they built a LAN full of routed IPs.

jefro 06-03-2012 06:38 PM

Then we need a much greater understanding of the use and scope of the lan's use and maybe misuse.

Ser Olmy 06-03-2012 06:40 PM

Quote:

Originally Posted by sparc86 (Post 4694696)
Jefro, it's a new branch from a State University (and they are interconnected through a WAN). I agree with you, it's bizarre an entire LAN filled with routed IPs (unless if it was ipv6, but then it's a whole different animal).

I don't really know what they were thinking. Like I said, Friday was my first day in this new job, so this week I will investigate these issues. I will try to contact the administrators from the University Headquarters to find out exactly why they built a LAN full of routed IPs.

It it quite common to see entire LANs with routable IPs in educational institutions like universities. They typically got their IP allocations back in the early 1990s and may have millions of addresses to their disposal, so why bother with NAT?

jefro 06-04-2012 04:12 PM

Can't say without more detail.

It is not uncommon for a holder of a range of IP address to use them as they wish. We still have a class A subnet and ran out of numbers in the 90's. We used nat for security as well and to free up numbers that had to be on the public side.

snowmobile74 06-04-2012 06:13 PM

The iptables Wiki has a really great diagram of how traffic flows

http://upload.wikimedia.org/wikipedi...acket-flow.svg

It would be preferable to add drop rules on the INPUT, you'll end up using up more resources by adding forwarding tables to everything. Other than that you can just use a linux box as a router its just as happy to do Layer3 routing without mucking with iptables.


All times are GMT -5. The time now is 07:02 AM.