[ale] sanity check
James P. Kinney III
jkinney at localnetsolutions.com
Mon Dec 3 17:30:30 EST 2007
I think I found a bug (kernel 2.6.17) but I need to confirm my
understanding of things first:
Scenario: firewall machine between T1 and LAN. Firewall has two physical
NICS. The external NIX is setup to listen to 4 IP's. The internal to one
IP.
Need to forward mail to the mail machine, ssh to certain machines and
http to one machine.
The usual is to use iptables nat table and reroute incoming IP's to
their respective internal IP's.
So external ssh connection to machine A arrives on IP foo.2 and is
DNAT'ed to 192.168.0.2.
Here's the problem: All ssh connections appear to ORIGINATE from the
firewall at the ssh machine.
So the bug appears to be in the DNAT mapping that is supposed to only
change the destination IP but appears to also change the source IP.
This failure occurs for ssh and mail and http. All internal machines
report all incoming traffic and originating from the firewall and not
from the real source.
This makes ssh sanity checks a challenge.
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list