Re: Joining subnets
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Mon, 24 Aug 2009 14:54:31 -0500
On Mon, 24 Aug 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <69e15fde-f7e6-47fa-85b1-f2cac9cbd517@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
billbo wrote:
NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.
ibupro...@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:
Net 1:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
192.168.11.0 192.168.10.6 255.255.255.0 UG 0 0 32165 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
0.0.0.0 192.168.10.248 0.0.0.0 UG 0 0 2673 eth0
NET 2:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
192.168.10.0 192.168.11.6 255.255.255.0 UG 0 0 32165 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
This allows net 1 to talk to the world via the gateway at 192.168.10.248
and to net 2 via a different gateway.
The servers subnet and the lan subnet are not physically connected.
That's what it shows above. The world has only been doing this for maybe
24 years - see RFC0950, RFC1122, RFC1219 and RFC1812 available through
your favorite search engine. The box at 192.168.10.6 and 192.168.11.6 is
a router with two NICs.
The linux nat firewall is being used to connect them only at specified
ports and ip addresses like a bridge.
Sounds much more complicated that it needs to be
Each lan client is then routed to this bridge to access services on
the server subnet. By using nat, I do not have to worry about routing
to the lan network from the servers. The nat fw also seems to offer
better isolation as the lan network is being treated as an untrusted
network.
Routing does not have forward every packet for every port/address.
In your response to Wolfgang Draxinger, you state
The fw+nat (fw being iptables) is the security feature and is used to
limit ports and IP addresses, the nat is to avoid having to route from
the server network.
Using a firewall is fine - but the NAT adds nothing and only adds problems.
It also complicates logging and access control.
The NAT is also effective in preventing the spread of broadcast junk
and garbage and prevents my logs from getting filled up with martian
source errors.
Martian source errors are due to a lack of a route. Were this not the
case, don't you think that every computer connected to the Internet
would be reporting martian sources for every OTHER computer in the
world? It doesn't happen if the route exists. Mind you, the router
doesn't have to forward every packet to every address, so security
isn't a problem. Likewise, tcp_wrappers have been around for 15 years
(the last change was March 1997).
Also, JUST a FYI, while NAT in itself is not an acceptable security
solution, most network nasties cannot traverse NAT nor can they scan
through NAT, the same cannot be said about routed networks.
Apparently, no one has ever heard of policy routing - it too has only
been around for over 20 years, such that there are about 12 RFCs on
the subject.
Old guy
.
- References:
- Joining subnets
- From: billbo
- Re: Joining subnets
- From: Moe Trin
- Re: Joining subnets
- From: billbo
- Joining subnets
- Prev by Date: Re: Joining subnets
- Next by Date: vacancy's for fresh\exp apply resume
- Previous by thread: Re: Joining subnets
- Next by thread: NAT using iproute2
- Index(es):
Relevant Pages
|
Loading
