Private IP addresses in iptables

[richgood2005]

Hi,

I am using iptables to setup a very simple DiffServ router to be used in a research testbed. The testbed is an isolated set of computers each assigned private IP addresses, as none of them are connected to the internet. When i try to add iptable rules using these IP addresses, rfc1918.blackhole.iana.org is listed in the source and destination address fields.

RFC 1918 describes the use of private IP addresses, so I assume this means that you cannot use private addresses for iptable rules. (This makes sense because these addresses should'nt be routed or routable). However for my isolated test scenario it makes sense to use private addresses. Is there any way to get around this?

Also when I last used iptables (2 years ago) this was not a problem and I assume it is an added feature. I am using iptables 1.3.5.

thanks in advance,

Richard

[cyberinstru]

When i try to add iptable rules using these IP addresses, rfc1918.blackhole.iana.org is listed in the source and destination address fields.

What do you exactly mean by this?


As such there are no issues in using iptables with Private IP addresses.

The only condition is when your are receiving a packet from the Internet, if the source address is Private, then it is invalid or malformed or spoofed or etc.

So that it is better to drop packets with Private IPs as the source.

In your case, as u have segregated the netowrk, there need not be any hiccups in framing IPtables rules.

[richgood2005]

Hi,

Let me clarify. I have a segregated network with 2 subnets, say 10.129.2.0/24 and 10.129.3.0/24. I want a software router to sit between them and forward packets accordingly.

When I run for instance the command:

iptables -A FORWARD -s 10.129.3.1 -d 10.129.2.1 -j ACCEPT

I get the following output for iptables -L

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- rfc1918.blackhole.iana.org rfc1918.blackhole.iana.org


If I use different IP addresses, i.e. not private ones then the correct IP addresses are listed in the source and destination fields.

thanks again for the quick response,

Richard

[cyberinstru]

Well.. the iptables package seems to be handling bogon IPs. That's it. Nothing to worry about it.

[richgood2005]

But I have set up the rules to forward packets from selected IP addresses to the correct network, and these packets cannot be forwarded because iptables complains that they are private addresses.

I suppose I could just give the subnets non-private IP addresses (This would make no difference being segregated) but I was curious as to why this functionality was not allowed.

[cyberinstru]

these packets cannot be forwarded because iptables complains that they are private addresses.

Hey, do you mean to say that your packets are getting dropped?

Nope. It should not be. Can you re-check if this rule is causing the trouble?

[richgood2005]

hmmm. I will recheck this, perhaps I just assumed that they were being dropped because the iptables output was hassling.

Anyway thanks for the quick replies, and I will repost if it is in fact dropping these packets.

[cyberinstru]

Hey, also you are not using any agents like ipset or shorewall on top of iptables, right?

[richgood2005]

Nope, just plain iptables

[cyberinstru]

Fine. Then no issues. I have heard that these ipset/shorewall do such bogon IP checks and packet dropping.

IPtables shud not be dropping packets like this. There could be some minor glitch in the rules framed.

Gud luk