linux networking question
my server is consist of 3 network cards for LAN. For your information, the settings on the 3 LAN cards are as follows :-
eth0 - 192.168.21.254 eth1 - 192.168.23.254 eth2 - 192.168.25.254 Recently, one of the user(192.168.21.221) tried to ping the eth0(192.168.21.254) and it was successful. Then, he tried to ping 192.168.23.254 as well but it returned the ping replies. So, my question is can we set the linux server to control the user from pinging and accessing other users on different subnet? THanks for your guys time. -m4- |
entering this in /etc/sysconf/network
FORWARD_IPV4=false Will turn off all forwarding. This is carried out by this command somewhere: echo "0" > /proc/sys/net/ipv4/ip_forward By default, forwarding is disabled in the kernel until echo "1" > /proc/sys/net/ipv4/ip_forward is called by a network script. |
Quote:
Actually a Linux machine by default replies to ICMP echo requests even if they are not from the LAN segment directly connected to a LAN card, which is why the user on the LAN 192.168.21.0/24 is getting ICMP echo replies when he pings 192.168.23.254. If you want to disable all incoming ICMP traffic then do the following as root iptables -I INPUT -p ICMP -j DROP The above will drop all ICMP packets destined to this machine on any interface. A much more convenient way is to just allow the user to ping the server address on his LAN, for example if you want the users on 192.168.21.0/24 to be able to ping only the server address 192.168.21.254 the do the following iptables -I INPUT -p ICMP -s 192.168.21.0/24 -d 0.0.0.0/0 -j DROP iptables -I INPUT -p ICMP -s 192.168.21.0/24 -d 192.168.21.0/24 -j ACCEPT I hope that helps! |
Quote:
Perhaps some experimentation by m4dj4ck is in order. |
alright...sorry for some missing information. This system actually is a Linux gateway with eth0(192.168.120.2) facing the Internet and eth1, eth2 and eth3 is for LAN. As expected, this box is runing shorewall firewall with of course, masquerading on it. So, if im were to disable FORWARD_IPv4=FALSE, will it disable all the ip forwarding activities including masquerading??
|
yes, that will disable the forwarding activities including masquerading.
|
Quote:
FWIW: n3tw0rk correctly addressed your problem and offered the only viable solution that I'm aware of. In short, you are trying to ping an interface of a multi-homed system, not a host on the otherside of that interface; thus the TCP/IP stack is technically not forwarding. i.e. transmitting out the other interface. If you are still confused, run tcpdump on all interfaces and then issue your ping test and take notice of which interfaces receive/transmit traffic during your test. Since you are using shorewall, you could easily add a rule that does not allow ping traffic (or any traffic for that matter) from zone->fw. Just zone->internet. Which BTW, is basically the same solution n3tw0rk pointed out in his reply. You would just be using shorewall to configure the appropiate iptable rules based on the zones you have defined. |
All times are GMT -5. The time now is 06:15 AM. |