[suse-security] Unwanted routing between subnets

[Holger Schletz <h.schletz@xxxxxxxxx>]

Hi,

I'm running a router on SuSE 8.2 which connects 2 local subnets to the 
internet. The subnets run over the same NIC with virtual interfaces:

eth0, subnet 192.168.0.0/255.255.0.0 (call it subnet A)
eth0:1, subnet 172.16.0.0/255.255.0.0 (call it subnet B)

(Yes, this is a mess, but fixing up this naturally grown network topology 
might induce even more trouble.)

eth1 connects to the internet.

The setup works; both subnets have internet access. However, subnet A is still 
accessible from subnet B and vice versa. This is not what I want; instead I 
want the two subnets to be invisible to each other.
There is no route from A to B or from B to A specified in the 
/etc/sysconfig/network directory (is there another place to look at?). Maybe 
this problem comes from the virtual interface stuff?

I tried to set up routing rules with the "unreachable", "prohibit" or 
"blackhole" option, but I did't find useful documentation on usage of these 
options and it did not work as expected. I also tried some custom rules for 
SuSEfirewall2, but no success either.

So what routing options and/or iptables rules do I have to use?

Thanks,
Holger



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here