[plug] Prevent Gateway from redirecting
Adrian Chadd
adrian at creative.net.au
Fri Dec 29 15:42:36 WST 2006
On Fri, Dec 29, 2006, Cameron Patrick wrote:
> Cameron Patrick wrote:
>
> > Adrian Chadd wrote:
> >
> > > Just disable ICMP redirects:
> >
> > He's asking about iptables -j REDIRECT, not ICMP redirect packets.
>
> Actually scratch that, re-reading the original message again I'm not
> entirely sure I understand what Tim was on about at all...
I know what he's saying:
* his default gateway on his network is .1;
* the linux has a default route of .10; which is on the same network as .1;
* so when the linux box receives a packet thats destined for the greater world
and sees the default gateway -it- would forward it to being on the same LAN
as the source device Linux sends an ICMP redirect to the original host,
saying "from now on just send to .10!"
* And this is breaking the transparent interception he's doing with -J REDIRECT.
So, I just suggest putting all your network traffic through the linux box and
disable redirects. In fact, I'd actually suggest putting the modem on a private
VLAN or physical network interface and do shaping/whatnot on the linux box
which is, in essence, acting as your gateway and firewall device. You can still
continue doing NAT on either the modem/router or the Linux gateway, it wouldn't
matter.
Still - just disable ICMP redirects. I'm sure there's a way to do selective
ICMP redirect responses based on iptables rules but it'll be more trouble than
its worth in the long run.
Adrian
--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -
More information about the plug
mailing list