Re: Blocking direct private IP address

["Andrew Kraslavsky" <andykras@hotmail.com>]

> From: Jan Engelhardt <jengelh@linux01.gwdg.de>
> To: Andrew Kraslavsky <andykras@hotmail.com>
> CC: netfilter@lists.netfilter.org
> Subject: Re: Blocking direct private IP address
> Date: Thu, 1 Mar 2007 00:35:14 +0100 (MET)
>
>
> On Feb 28 2007 15:20, Andrew Kraslavsky wrote:
> >
> > If I set up a host on the external/public network with a static route 
> that
> > causes it to send traffic addressed to 192.168.0.0/24 to the 10.0.0.1
> > external/public IP address of the firewall/router and then attempt to 
> access
> > the Web server using 192.168.0.99 as the address, these directly 
> addressed
> > packets get through the firewall.
>
> I did not find the question in your mail, but:
>
> Activate "rp_filter", and any hosts on 10.0.0.0/24 that uses a
> non-10.0.0.0/24 address as source will be ignored.
>
>
> Jan
> --
Thanks for the pointer but the question here is about the destination IP 
address, not the source.
When I create the DNAT rule, the private IP address to which I want my 
public address to map suddenly becomes directly accessible to hosts on the 
public network.
I.e. I want hosts on the public network to _have_to_ send traffic to the 
public IP of 10.0.0.1 but, after adding that rule, they can actually send 
traffic to that address _AND_ also directly to the private IP address of the 
Web server at 192.168.0.99.
_________________________________________________________________
Find a local pizza place, movie theater, and more?.then map the best route! 
http://maps.live.com/?icid=hmtag1&FORM=MGAC01