Rocking iptables like a DJ


Once some subnets are able to talk to the router things get interesting especially when to decide which subnet is allowed to reach each other or allowed to access services on the router.
Let’s say we have another private class A subnet ( connected to the router. Hosts from that subnet on eth1 should be able to connect to hosts on the subnet ( on eth0 interface without access to services running on the router itself !
Since the router wouldn’t talk to anyone it explicitly knows, we need to configure an IP address ( on the eth1 interface to have a route from the subnet to be physically reachable but without allowing the subnet in the firewall. This time we won’t use a makefile but allow forwarding temporarily eg:

me@host:~# -4 FORWARD_SUBNET eth0
# forwarding (eth1) to eth0.

The FORWARD_SUBNET call doesn’t take any protection measures and is therefore recommended only for forwarding internal subnets on different interfaces where protection isn’t needed. We also omit service discovery, UPNP or link-local traffic. When only FORWARD_SUBNET call is given it would just allow hosts from the class A subnet on eth1 to pass the interface barrier by forwarding to the eth0 interface but without having access to service discovery, UPNP or link-local since this traffic still can’t pass when going through different interfaces and would need an explicit ALLOW_SUBNET on the router’s interface.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source        destination         
    0     0 ACCEPT     all  --  eth0   eth1          state NEW /* FORWARD_SUBNET on 0x000e0c35edae to eth0 */
    0     0 ACCEPT     all  --  eth0   eth1          state RELATED,ESTABLISHED /* FORWARD_SUBNET on 0x000e0c35edae to eth0 */
    0     0 ACCEPT     all  --  eth1   eth0            /* FORWARD_SUBNET on 0x000e0c35edae to eth0 */
 2555  319K LOG        all  --  *      *            limit: avg 8/min burst 16 LOG flags 0 level 4 prefix "[FW4-DROP] "

Even when there would be other subnets (eg. configured on eth1 they would end up denied because FORWARD_SUBNET explicitly accepts only traffic from the specified subnet and only between the given interfaces they reside on although traffic originating from the class A subnet can be addressed anywhere it’s limited to subnets on the eth0 interface only which is in our case the class C subnet.


Figure D: Another private subnet which is forwarded internally only without allowing access to services on the router.


I'm a computer kid of the 80', not born but raised in good old' germany, playin' games, makin' music & lovin' the blues. My career started at an age of 10 in a shopping mall where they sold computers too. It was the first time ever i've seen such an electronic monster and was fascinated instantly. Later on i've learned my first programming skills (Basic) with a friend's Sinclair ZX 81. Yes, that one with the strange plastics keyboard. After that i got some experience with a Schneider CPC464 and the Commodore C64 until i fell in love with the Commodore Amiga, a machine with 4096 different colors which sounds nowadays to most like black'n'white tv's sounded to me at that time. We played a lot of games like Decathlon, The Last V8, Impossible Mission, Elite, Mega'lo'Mania, Xenon, Speedball or Chaos Engine and ruined a lot of those Competition Pro Joysticks. My favourites were mostly games by Sensible Software, Bitmap Brothers or Rainbow Arts. What i liked the most about that machine was it's AmigaOS, it's operating system was ahead of it's time. On this machine i learned my first assembler language (m68k) and the hardware internas. I watched the decline of Commodore with a tear in my eye and at some point i went over to usual business and my first PC and learned it's beastly manners.

вяоӣсо wrote 19 posts

Post navigation