[plug] Prevent Gateway from redirecting

Adrian Chadd adrian at creative.net.au
Fri Dec 29 15:42:36 WST 2006


On Fri, Dec 29, 2006, Cameron Patrick wrote:
> Cameron Patrick wrote:
> 
> > Adrian Chadd wrote:
> > 
> > > Just disable ICMP redirects:
> > 
> > He's asking about iptables -j REDIRECT, not ICMP redirect packets.
> 
> Actually scratch that, re-reading the original message again I'm not
> entirely sure I understand what Tim was on about at all...

I know what he's saying:

* his default gateway on his network is .1;
* the linux has a default route of .10; which is on the same network as .1;
* so when the linux box receives a packet thats destined for the greater world
  and sees the default gateway -it- would forward it to being on the same LAN
  as the source device Linux sends an ICMP redirect to the original host,
  saying "from now on just send to .10!"
* And this is breaking the transparent interception he's doing with -J REDIRECT.

So, I just suggest putting all your network traffic through the linux box and
disable redirects. In fact, I'd actually suggest putting the modem on a private
VLAN or physical network interface and do shaping/whatnot on the linux box
which is, in essence, acting as your gateway and firewall device. You can still
continue doing NAT on either the modem/router or the Linux gateway, it wouldn't
matter.

Still - just disable ICMP redirects. I'm sure there's a way to do selective
ICMP redirect responses based on iptables rules but it'll be more trouble than
its worth in the long run.



Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -



More information about the plug mailing list