| View previous topic :: View next topic |
| Author |
Message |
gixer
n00b
Joined: 22 Nov 2003
Posts: 28
Location: Cypress, CA, USA
|
 Posted: Wed Apr 06, 2005 8:08 am Post subject: ifconfig aliases wierdness? |
 |
|
Hi all, I have searched, and came up with nothing thus yet, so I figured I'd ask the experts  Here's the scenerio:
I am installing a Gentoo-based server to act like a PIX/Firewall at our co-lo. We have 64 IPs assigned to us. Here is an example of what I am using to forward traffic via IPTABLES: (Ips have been changed to protect the innocent )
iptables -t nat -A PREROUTING -d 1.2.3.1 -p tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -d 1.2.3.1 -p tcp --dport 53 -j DNAT --to-destination 192.168.0.1:53
iptables -t nat -A PREROUTING -d 1.2.3.1 -p udp --dport 53 -j DNAT --to-destination 192.168.0.1:53
iptables -t nat -A PREROUTING -d 1.2.3.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:80
iptables -t nat -A PREROUTING -d 1.2.3.1 -p tcp --dport 443 -j DNAT --to-destination 192.168.0.1:443
2 issues/questions...
1. I have aliased eth0 with ALL 63 IP's and heres the problem... random IPS STOP responding. It's like they die, and then come back... ping then no ping... I don't understand why. And the funny thing is, it takes about half an hour for this behaviour to appear! I have selected ALL the options in the kernel config under iptables. ( I am doing the aliasing in the /etc/conf.d/net file, but I also tried the /etc/conf.d/local.start, I wanted the aliases setup ahead of everything else, so I opted for the net file)
2. The purpose of this setup is to emulate a PIX, so I want to drop all other traffic except the entries like the ones above. How would I do this? I have used the following to allow SSH (to an inside linux box, from there I can ssh into the gateway machine, a little 'extra' security):
iptables -I INPUT -s (a select few IPs) -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j DROP
Any other security advice would be grately appreciated (with examples of course ) as this is a production setup, and needs to be as secure as possible.
Thank you everyone in advance...
-Allan
_________________
If you had to rebuild your car's engine on the freeway, every week, would that be ok? Then why would you use windowz? |
|
| Back to top |
|
 |
mayyah
n00b
Joined: 29 Mar 2005
Posts: 7
Location: Washington, DC
|
| Posted: Wed Apr 06, 2005 3:30 pm Post subject: |
|
|
If you have many ips and connections to all of them, you may be running out of space for the connection tracking tables.
See:
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
I've solved some problems by setting these two variables higher on my gateway:
sysctl -w net/ipv4/neigh/default/gc_thresh3 = 100000
sysctl -w net/ipv4/ip_conntrack_max = 32760
With many internal IPs, make sure to you 512MB or more memory in your gateway machine. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
