Re: IP access restriction
From: Nigel Wade (nmw_at_ion.le.ac.uk)
Date: Wed, 13 Oct 2004 14:24:14 +0100 To: For users of Fedora Core releases <firstname.lastname@example.org>
Rick Lim wrote:
> I have a friend that has a few boxes directly on the internet, which he
> thinks are being access by unwanted "visitors".
> These machine still have to have routable IP address but should have limited
> access from external IP subnets.
> What would be suitable for limiting IP subnet access to these address?
> Would a 'firewall' like machine with IPTABLES be able to accomplish this,
> that is without changing the IP address passed through the 'firewallish'
What's the network topology? If it's possible to insert a single device in
the network which carries all traffic then it is possible to add a bridging
You can create bridging firewalls with iptables. We operate one here between
our subnet and the Uni. router. Building a bridging firewall is pretty
You need to install the bridge-utils package first. Then create a bridge
interface with the brctl command, and give it a name (here its called
# brctl addbr nameOfBridgeInterface
then you add ethernet cards to the bridge (you can have multiple cards in
each segment, and the bridging software uses spanning-tree to provide
redundancy). For 2 cards, eth0 and eth1, with 1 in each segment you would do:
# brctl addif nameOfBridgeInterface eth0
# brctl addif nameOfBridgeInterface eth1
then put the cards in promiscuous mode (they need to accept all packets):
# ifconfig eth0 promisc 0.0.0.0
# ifconfig eth1 promisc 0.0.0.0
then, if you want to be able to connect to the bridge, you create a network
script for it, /etc/sysconfig/network-scripts/ifcfg-nameOfBridgeInterface
The startup scripts will take care of everything else. Iptables rules can be
applied to the FORWARD chain for packets traversing the bridge, or to the
INPUT/OUTPUT chains for packets destined to/from the bridge itself. You can
also add rules for each card.
You should not have any network initialization on eth0 or eth1, the bridge
rules above do the necessary work, activating the card in promiscuous mode
and assigning no IP.
One problem is that most GUIs for iptables assume you are setting up either
a personal firewall or a NAT firewall. The only GUI I know that even
acknowledges that a bridging firewall is a possibility is fwbuilder, and you
still need to check the rules carefully with that as it has a tendency to
create spurious rules.
-- Nigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK E-mail : email@example.com Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555 -- fedora-list mailing list firstname.lastname@example.org To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list