Find the answer to your Linux question:
Results 1 to 10 of 10
Hi, I am using iptables to setup a very simple DiffServ router to be used in a research testbed. The testbed is an isolated set of computers each assigned private ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2006
    Posts
    6

    Private IP addresses in iptables


    Hi,

    I am using iptables to setup a very simple DiffServ router to be used in a research testbed. The testbed is an isolated set of computers each assigned private IP addresses, as none of them are connected to the internet. When i try to add iptable rules using these IP addresses, rfc1918.blackhole.iana.org is listed in the source and destination address fields.

    RFC 1918 describes the use of private IP addresses, so I assume this means that you cannot use private addresses for iptable rules. (This makes sense because these addresses should'nt be routed or routable). However for my isolated test scenario it makes sense to use private addresses. Is there any way to get around this?

    Also when I last used iptables (2 years ago) this was not a problem and I assume it is an added feature. I am using iptables 1.3.5.

    thanks in advance,

    Richard

  2. #2
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    When i try to add iptable rules using these IP addresses, rfc1918.blackhole.iana.org is listed in the source and destination address fields.
    What do you exactly mean by this?


    As such there are no issues in using iptables with Private IP addresses.

    The only condition is when your are receiving a packet from the Internet, if the source address is Private, then it is invalid or malformed or spoofed or etc.

    So that it is better to drop packets with Private IPs as the source.

    In your case, as u have segregated the netowrk, there need not be any hiccups in framing IPtables rules.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  3. #3
    Just Joined!
    Join Date
    Apr 2006
    Posts
    6
    Hi,

    Let me clarify. I have a segregated network with 2 subnets, say 10.129.2.0/24 and 10.129.3.0/24. I want a software router to sit between them and forward packets accordingly.

    When I run for instance the command:

    iptables -A FORWARD -s 10.129.3.1 -d 10.129.2.1 -j ACCEPT

    I get the following output for iptables -L

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- rfc1918.blackhole.iana.org rfc1918.blackhole.iana.org


    If I use different IP addresses, i.e. not private ones then the correct IP addresses are listed in the source and destination fields.

    thanks again for the quick response,

    Richard

  4. #4
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Well.. the iptables package seems to be handling bogon IPs. That's it. Nothing to worry about it.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  5. #5
    Just Joined!
    Join Date
    Apr 2006
    Posts
    6
    But I have set up the rules to forward packets from selected IP addresses to the correct network, and these packets cannot be forwarded because iptables complains that they are private addresses.

    I suppose I could just give the subnets non-private IP addresses (This would make no difference being segregated) but I was curious as to why this functionality was not allowed.

  6. #6
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    these packets cannot be forwarded because iptables complains that they are private addresses.
    Hey, do you mean to say that your packets are getting dropped?

    Nope. It should not be. Can you re-check if this rule is causing the trouble?
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  7. #7
    Just Joined!
    Join Date
    Apr 2006
    Posts
    6
    hmmm. I will recheck this, perhaps I just assumed that they were being dropped because the iptables output was hassling.

    Anyway thanks for the quick replies, and I will repost if it is in fact dropping these packets.

  8. #8
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Hey, also you are not using any agents like ipset or shorewall on top of iptables, right?
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  9. #9
    Just Joined!
    Join Date
    Apr 2006
    Posts
    6
    Nope, just plain iptables

  10. #10
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Fine. Then no issues. I have heard that these ipset/shorewall do such bogon IP checks and packet dropping.

    IPtables shud not be dropping packets like this. There could be some minor glitch in the rules framed.

    Gud luk
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •