Hello,
VspaceG a écrit :
>
> I have the following problem : I have a computer running linux with 3
> network links and 3 IP addresses:
>
> IPA on network A with private IP adresses
> IPB on network B
> IPInternet on Internet
>
> Linux is masquerading network A and routing network B. All is correct.
>
> But I can ping IPA from network B. And IPA is responding. Is this a
> known bug ?
No, it is a feature. By default a Linux box accepts traffic to any of
its local address on any interface, even when the destination address
does not match the input interface. And it can send traffic from any of
its local address on any interface, even when the source address does
not match the output interface. IIRC it is called "weak model".
"Worse" : from network B you should be able to ping any host in network
A. Remember that NAT itself does not provide a protection.
> Is ther some "ip rule" or "ip route" tricks to prevent this ?
I'm afraid no. Although it is possible to create source address-based
rules with the "unreachable" or "prohibit" type, e.g. :
ip rule add type unreachable to <network_a> from <network_b>
this would work only for packets sent from network B to network A
addresses other than IPA because the local routing table which contains
the local addresses (IPA, IPB, IPInternet, 127.0.0.0/
is looked up
first before other routing rules are examined by the routing process.
Besides, this would prevent communications from network A to network B
from getting replies, which may be undesirable. One solution is to use
ACLs in the server application itself or in (x)inetd, tcpd, or any other
applicable wrapper. Another solution is to use iptables filtering rules
with connection tracking to reject NEW connections from network B to
network A and IPA. For example :
iptables -A FORWARD -s <network_b> -d <network_a> -m state --state NEW \
-j REJECT
iptables -A INPUT -s <network_b> -d <ipa> -m state --state NEW -j REJECT
Feel free to add more checks such as the input interface.
Linux