LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-01-2011, 09:43 PM   #1
momok
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Rep: Reputation: Disabled
Talking iptables 192.168.1.x server, can't ping by 192.168.0.x


hi friends.this is my first post here.i've always got good answer from google that show its in this forums.
i've just learned simple iptables.
i have set firewall for centos of 192.168.1.21 server like this.
it has a gateway of 192.168.1.2

iptables -P INPUT DROP
iptables -A INPUT --in-interface lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT

the mac source is my laptop's mac address.
But when i try to ping from my laptop of 192.168.0.2 (my gateway is 192.168.0.1 but share the same server that has 3 network gateway including gateway for the centos)it failed.
what i should do to enable this ping.i also cannot connect to the centos server unless i change my ip to 192.168.1.x and same gateway as centos.can someone suggest what should i modify my firewall to enable connection to centos server from my 192.168.0.2 laptop? is that related to nat and forward chain in firewall of centos?
can someone suggest me what book is good to start learn linux firewall?

Last edited by momok; 06-01-2011 at 09:47 PM.
 
Old 06-02-2011, 12:09 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
To allow your server to receive pings you'll need to do something like:
Code:
iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
As for the other issue: If you're going through a router/gateway, the MAC address the other side sees will be that of its gateway, not the original host. Your MAC address is only used to get the frame to a router (or to another host on the same network). The router then strips your MAC, replacing it with its own as it sends it down the next link. With that in mind, it makes perfect sense that your rules won't work unless your laptop is on the same network as your server.

A good iptables tutorial is here.
 
Old 06-02-2011, 01:32 AM   #3
momok
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
oh, thank you very much win32sux. Your explanations is very logical.maybe some of the answer is i may need to permit access only from the mac address of my gateway?but it won't give good security as what i want. others is i may also permit access from certain ip too from 192.168.0.x.im just afraid the spoofing of ipaddress and macaddress will break the security.maybe i should think other techniques. thanx again win32sux!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[root@wlxxb ~]# telnet 192.168.192.12 25 Trying 192.168.192.12... telnet problem cnhawk386 Linux - Networking 1 10-10-2007 02:50 PM
pinging 192.168.0.10 from 192.168.2.101 cov Linux - Networking 12 05-03-2007 10:21 AM
What route to access daisy chained 2d router 192.168.1.1 after 192.168.0.1 (subnets?) Emmanuel_uk Linux - Networking 6 05-05-2006 01:47 AM
Is someone on my network?! ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:38201 ESTABLISHE ming0 Linux - Security 4 04-12-2005 01:04 AM
Iptables is converting -s 192.168.1.0/8 into 192.0.0.0/8 why !? qwijibow Linux - Security 2 01-26-2005 09:57 AM


All times are GMT -5. The time now is 12:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration