icmp redirect [long]

Petr pn na ok.cz
Pondělí Říjen 13 15:10:06 CEST 2003 

Ahoj,

struktura site je tato
                                               

  inet - - -  firewall - - - --  192.168.1.0/24
    		                   |
                	           |---- router -  192.168.5.0/24


na firewalu jsou staticke routy :

Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
inet                     *               255.255.255.240 U     0      
0        0 eth0
192.168.5.0     192.168.1.10    255.255.255.0   UG    0      0        0 eth1
localnet        *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         gw inet   0.0.0.0         UG    1      0        0 eth0

posilani icmp redirect je povolene

# cat /proc/sys/net/ipv4/conf/*/send_redirects
1
1
1
1
1

Misto aby pri konexi ze site 192.168.5.0 na stroj v 192.168.1.0 poslal 
firewall stroji 192.168.1.155 icmp redirect, snazi se sam smerovat :

brana# tcpdump -i eth1 host  192.168.1.155
tcpdump: listening on eth1
12:34:26.199080 arp who-has brana tell 192.168.1.155
12:34:26.199120 arp reply brana is-at 0:8:c7:25:44:3a
12:34:26.199257 192.168.1.155.netbios-ssn > 192.168.5.243.3668: S 
11615403:11615403(0) ack 18332319 win 8760 <mss 1460,nop,nop,sackOK> (DF)
12:34:29.139747 192.168.1.155.netbios-ssn > 192.168.5.243.3668: . ack 1 
win 8760 (DF)
12:34:29.213972 192.168.1.155.netbios-ssn > 192.168.5.243.3668: S 
11615403:11615403(0) ack 18332319 win 8760 <mss 1460,nop,nop,sackOK> (DF)
12:34:35.137452 192.168.1.155.netbios-ssn > 192.168.5.243.3668: . ack 1 
win 8760 (DF)
12:34:35.293115 192.168.1.155.netbios-ssn > 192.168.5.243.3668: S 
11615403:11615403(0) ack 18332319 win 8760 <mss 1460,nop,nop,sackOK> (DF)
12:34:47.133250 192.168.1.155.netbios-ssn > 192.168.5.243.3668: . ack 1 
win 8760 (DF)
12:34:47.449254 192.168.1.155.netbios-ssn > 192.168.5.243.3668: S 
11615403:11615403(0) ack 18332319 win 8760 <mss 1460,nop,nop,sackOK> (DF)

pri konexi ze site 192.168.1.0 na stroj v 192.168.5.0 fw posle redirect 
a je vse ok :

brana# tcpdump -i eth1 host 192.168.1.155
tcpdump: listening on eth1
14:51:28.258424 192.168.1.155 > 192.168.5.243: icmp: echo request
14:51:28.258776 192.168.1.155 > 192.168.5.243: icmp: echo request
14:51:28.259774 arp who-has 192.168.1.155 tell 192.168.1.10
14:51:29.260130 192.168.1.155 > 192.168.5.243: icmp: echo request
14:51:29.260300 brana > 192.168.1.155: icmp: redirect 192.168.5.243 to 
host 192.168.1.10 [tos 0xc0]
14:51:29.260363 192.168.1.155 > 192.168.5.243: icmp: echo request

v iptables na fw problem si myslim neni

$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT


Na fw je jadro 2.4.23-pre6,  Slackware 9.1.0

diky za jakykoli napad

Petr

Další informace o konferenci Linux