LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-02-2012, 03:17 PM   #1
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Southern Brazil
Distribution: Debian, CentOS
Posts: 296

Rep: Reputation: 31
Question LAN full of public/routed ipv4 addresses - How to filter it?


The answer to my question maybe is not that hard but anyways, I do not know what to do.

So, I just got in a new job in a Univerisity and I found out that the network (the LAN) is full of public IP addresses. Seriously, the whole LAN (probably more than 150 hosts) has it's own internet IP address and I don't know how to manage it.

I have a very good experience using iptables (Linux firewall) in a NAT'ed environment. But then how should I proceed in an environment where all my LAN is working with a bunch of public IP addresses? Should I just use the "forward" rules and ignore the NAT rules or is there any other issue in such environment which I should take care?

Can I add a firewall between the router and the LAN in order to produce packet filtering for these public IP addresses in my LAN or will this just not work?

Thanks!
 
Old 06-02-2012, 04:21 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
As you say, you filter traffic using the FORWARD chain.

NAT is not a security feature, so you should be using the FORWARD chain to filter traffic in NAT scenarios as well.
 
1 members found this post helpful.
Old 06-03-2012, 02:00 PM   #3
jefro
Guru
 
Registered: Mar 2008
Posts: 11,965

Rep: Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484
I'd suspect some hole in the security. In a normal lan one doesn't use public ip's even though there is nothing wrong with it. So this would make us think that the router does allow web access or access to routable ip addresses.

There should have been a high quality firewall on the lan 10 years or more ago. What were they thinking? What is this a grade school project?
 
Old 06-03-2012, 05:51 PM   #4
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Southern Brazil
Distribution: Debian, CentOS
Posts: 296

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by jefro View Post
I'd suspect some hole in the security. In a normal lan one doesn't use public ip's even though there is nothing wrong with it. So this would make us think that the router does allow web access or access to routable ip addresses.

There should have been a high quality firewall on the lan 10 years or more ago. What were they thinking? What is this a grade school project?
Jefro, it's a new branch from a State University (and they are interconnected through a WAN). I agree with you, it's bizarre an entire LAN filled with routed IPs (unless if it was ipv6, but then it's a whole different animal).

I don't really know what they were thinking. Like I said, Friday was my first day in this new job, so this week I will investigate these issues. I will try to contact the administrators from the University Headquarters to find out exactly why they built a LAN full of routed IPs.

Last edited by sparc86; 06-03-2012 at 05:52 PM.
 
Old 06-03-2012, 06:38 PM   #5
jefro
Guru
 
Registered: Mar 2008
Posts: 11,965

Rep: Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484
Then we need a much greater understanding of the use and scope of the lan's use and maybe misuse.
 
Old 06-03-2012, 06:40 PM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
Quote:
Originally Posted by sparc86 View Post
Jefro, it's a new branch from a State University (and they are interconnected through a WAN). I agree with you, it's bizarre an entire LAN filled with routed IPs (unless if it was ipv6, but then it's a whole different animal).

I don't really know what they were thinking. Like I said, Friday was my first day in this new job, so this week I will investigate these issues. I will try to contact the administrators from the University Headquarters to find out exactly why they built a LAN full of routed IPs.
It it quite common to see entire LANs with routable IPs in educational institutions like universities. They typically got their IP allocations back in the early 1990s and may have millions of addresses to their disposal, so why bother with NAT?
 
Old 06-04-2012, 04:12 PM   #7
jefro
Guru
 
Registered: Mar 2008
Posts: 11,965

Rep: Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484
Can't say without more detail.

It is not uncommon for a holder of a range of IP address to use them as they wish. We still have a class A subnet and ran out of numbers in the 90's. We used nat for security as well and to free up numbers that had to be on the public side.
 
Old 06-04-2012, 06:13 PM   #8
snowmobile74
LQ Newbie
 
Registered: Nov 2003
Location: Reston, VA
Distribution: Slackware for everything
Posts: 22

Rep: Reputation: 1
The iptables Wiki has a really great diagram of how traffic flows

http://upload.wikimedia.org/wikipedi...acket-flow.svg

It would be preferable to add drop rules on the INPUT, you'll end up using up more resources by adding forwarding tables to everything. Other than that you can just use a linux box as a router its just as happy to do Layer3 routing without mucking with iptables.
 
  


Reply

Tags
iptables, ipv4, linux, public-ip-address


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
public ip X point A (linux box) <-> routed wireless net <-> public ip X point B tkmbe Linux - Wireless Networking 2 12-27-2011 06:03 AM
97% of INTERNET NOW FULL UP, warn IPv4 shepherd boys Jeebizz Linux - News 13 12-06-2010 02:45 PM
[SOLVED] Multiple IPV4 addresses not working after boot, works after network restart samuellay Linux - Networking 3 10-18-2010 02:26 PM
Cannot access own public web and mail server from LAN addresses lannyr Linux - Networking 14 08-06-2009 10:09 AM
Dansguardian - Won't filter new addresses added to filter list TechnoBod Linux - Software 1 01-08-2008 02:40 AM


All times are GMT -5. The time now is 08:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration