[Shorewall-users] How can I ping a private IP

Tom Eastep teastep at shorewall.net
Tue Mar 9 07:38:26 PST 2004


On Tuesday 09 March 2004 07:13 am, Tom Eastep wrote:
> On Tuesday 09 March 2004 05:47 am, M Lu wrote:
> > Hello,
> >
> > My network has an external interface, eth0 and 3 internal subnets
> > 10.9.9.x, 10.9.18.x and 10.9.27.x. By accident I saw that I can ping a
> > private IP, which should not be mine, 10.18.9.153.
> >
> > What could be wrong in my setup?
> >
> > Thank you.
> >
> >
> > My shorewall/interfaces contains:
> >
> > net     eth0            detect
> > dhcp,routefilter,norfc1918,blacklist loc     eth1            detect
> > wifi    eth2            detect          maclist
> > dmz     eth3            detect
> >
> > My interfaces are
> >
> > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> >     link/ether 00:60:08:55:a8:fa brd ff:ff:ff:ff:ff:ff
> >     inet 10.9.9.254/24 brd 10.9.9.255 scope global eth1
> > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> >     link/ether 00:10:4b:21:02:ae brd ff:ff:ff:ff:ff:ff
> >     inet 10.9.18.254/24 brd 10.9.18.255 scope global eth2
> > 6: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> >     link/ether 00:10:4b:2c:a9:ef brd ff:ff:ff:ff:ff:ff
> >     inet 10.9.27.254/24 brd 10.9.27.255 scope global eth3
>
> Please forward the output of "shorewall show nat" as a text attachment.

There are two issues here:

a) How are you able to route packets across the internet to an RFC 1918 
address? The answer to that is that DNAT must be occurring before the 
outbound packets reach the internet and that DNAT is also occurring on the 
remote end. From the "shorewall show nat" output you sent, it appears that 
the outbound DNAT is occurring at your ISP. I don't believe that any form of 
tunneling is involved here because the intermediate routers all show up in 
the traceroute output.

b) Why didn't 'norfc1918' prevent this? Because that option only checks new 
connection requests from the internet; it does not check replies to 
connections initiated from your firewall or from your local systems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list