-
May 6th, 2004, 03:24 PM
#1
Netfilter Related states support
Basic Netfilter configurations question:
Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:
- im not using NAT at this time
- eth0 is inside and eth1 is outside
_____________________________________________
echo 1 > /proc/sys/net/ipv4/ip_forward
IPTABLES –F INPUT
IPTABLES –F OUTPUT
IPTABLES –F FORWARD
IPTABLES –P INPUT DROP
IPTABLES –P OUTPUT DROP
IPTABLES -P FORWARD DROP
# allow ftp clients to go outside for ftp sessions
IPTABLES –A FORWARD -i eth0 –o eth1 –p tcp - -dport ftp –m state - -state NEW –j ACCEPT
IPTABLES –A FORWARD –m state - -state ESTABLISHED, RELATED –j ACCEPT
______________________________________________
my question is: (assuming that other things are correct):
Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?
I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.
P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 6th, 2004, 03:24 PM
#2
Netfilter Related states support
Basic Netfilter configurations question:
Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:
- im not using NAT at this time
- eth0 is inside and eth1 is outside
_____________________________________________
echo 1 > /proc/sys/net/ipv4/ip_forward
IPTABLES –F INPUT
IPTABLES –F OUTPUT
IPTABLES –F FORWARD
IPTABLES –P INPUT DROP
IPTABLES –P OUTPUT DROP
IPTABLES -P FORWARD DROP
# allow ftp clients to go outside for ftp sessions
IPTABLES –A FORWARD -i eth0 –o eth1 –p tcp - -dport ftp –m state - -state NEW –j ACCEPT
IPTABLES –A FORWARD –m state - -state ESTABLISHED, RELATED –j ACCEPT
______________________________________________
my question is: (assuming that other things are correct):
Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?
I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.
P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 6th, 2004, 10:15 PM
#3
Re: Netfilter Related states support
Originally posted here by cacosapo
Basic Netfilter configurations question:
Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:
- im not using NAT at this time
- eth0 is inside and eth1 is outside
[...]
my question is: (assuming that other things are correct):
Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?
Yes, the ESTABLISHED,RELATED will ensure that ICMP echo-replies will make it back through the f/w.
I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.
In your case, it would be flagged as "ESTABLISHED" since you initiated the question, but you are correct, it will forward it back through.
P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
The netfilter documentation itself it pretty thorough, read the Netfilter Howtos, specifically the Networking-Concepts and Packet-Filtering howtos at:
http://www.netfilter.org/documentati...entation-howto
I am also presuming you will have a line that reads something akin to:
IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
May 6th, 2004, 10:15 PM
#4
Re: Netfilter Related states support
Originally posted here by cacosapo
Basic Netfilter configurations question:
Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:
- im not using NAT at this time
- eth0 is inside and eth1 is outside
[...]
my question is: (assuming that other things are correct):
Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?
Yes, the ESTABLISHED,RELATED will ensure that ICMP echo-replies will make it back through the f/w.
I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.
In your case, it would be flagged as "ESTABLISHED" since you initiated the question, but you are correct, it will forward it back through.
P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
The netfilter documentation itself it pretty thorough, read the Netfilter Howtos, specifically the Networking-Concepts and Packet-Filtering howtos at:
http://www.netfilter.org/documentati...entation-howto
I am also presuming you will have a line that reads something akin to:
IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|