Re: Blocking direct private IP address

[Jan Engelhardt <jengelh@linux01.gwdg.de>]

On Feb 28 2007 19:12, Andrew Kraslavsky wrote:

[recap
> external 10.0.0.1/24
> internal 192.168.0.1/24
]

>
> Thanks for the pointer but the question here is about the destination IP
> address, not the source.
>
> When I create the DNAT rule, the private IP address to which I want my
> public address to map suddenly becomes directly accessible to hosts on
> the public network.

Then don't add a DNAT rule.

> I.e. I want hosts on the public network to _have_to_ send traffic to 
> the public IP of 10.0.0.1 but, after adding that rule, they can 
> actually send traffic to that address _AND_ also directly to the 
> private IP address of the Web server at 192.168.0.99.

Your DNAT rule is broken:

>iptables -t nat -A PREROUTING -d 10.0.0.1 -j DNAT --to-destination 
>192.168.0.99

You are forwarding _ALL_ traffic, _ALL_ ports. (And you can never reach 
the real 10.0.0.1 from the outside using 10.0.0.1.)


Jan
--