Results 1 to 4 of 4

Thread: Netfilter Related states support

  1. #1
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130

    Netfilter Related states support

    Basic Netfilter configurations question:

    Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:

    - im not using NAT at this time
    - eth0 is inside and eth1 is outside

    _____________________________________________
    echo 1 > /proc/sys/net/ipv4/ip_forward
    IPTABLES –F INPUT
    IPTABLES –F OUTPUT
    IPTABLES –F FORWARD
    IPTABLES –P INPUT DROP
    IPTABLES –P OUTPUT DROP
    IPTABLES -P FORWARD DROP
    # allow ftp clients to go outside for ftp sessions
    IPTABLES –A FORWARD -i eth0 –o eth1 –p tcp - -dport ftp –m state - -state NEW –j ACCEPT
    IPTABLES –A FORWARD –m state - -state ESTABLISHED, RELATED –j ACCEPT
    ______________________________________________

    my question is: (assuming that other things are correct):

    Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?

    I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.

    P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130

    Netfilter Related states support

    Basic Netfilter configurations question:

    Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:

    - im not using NAT at this time
    - eth0 is inside and eth1 is outside

    _____________________________________________
    echo 1 > /proc/sys/net/ipv4/ip_forward
    IPTABLES –F INPUT
    IPTABLES –F OUTPUT
    IPTABLES –F FORWARD
    IPTABLES –P INPUT DROP
    IPTABLES –P OUTPUT DROP
    IPTABLES -P FORWARD DROP
    # allow ftp clients to go outside for ftp sessions
    IPTABLES –A FORWARD -i eth0 –o eth1 –p tcp - -dport ftp –m state - -state NEW –j ACCEPT
    IPTABLES –A FORWARD –m state - -state ESTABLISHED, RELATED –j ACCEPT
    ______________________________________________

    my question is: (assuming that other things are correct):

    Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?

    I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.

    P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: Netfilter Related states support

    Originally posted here by cacosapo
    Basic Netfilter configurations question:

    Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:

    - im not using NAT at this time
    - eth0 is inside and eth1 is outside
    [...]
    my question is: (assuming that other things are correct):

    Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?
    Yes, the ESTABLISHED,RELATED will ensure that ICMP echo-replies will make it back through the f/w.

    I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.
    In your case, it would be flagged as "ESTABLISHED" since you initiated the question, but you are correct, it will forward it back through.

    P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
    The netfilter documentation itself it pretty thorough, read the Netfilter Howtos, specifically the Networking-Concepts and Packet-Filtering howtos at:
    http://www.netfilter.org/documentati...entation-howto

    I am also presuming you will have a line that reads something akin to:
    IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: Netfilter Related states support

    Originally posted here by cacosapo
    Basic Netfilter configurations question:

    Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:

    - im not using NAT at this time
    - eth0 is inside and eth1 is outside
    [...]
    my question is: (assuming that other things are correct):

    Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?
    Yes, the ESTABLISHED,RELATED will ensure that ICMP echo-replies will make it back through the f/w.

    I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.
    In your case, it would be flagged as "ESTABLISHED" since you initiated the question, but you are correct, it will forward it back through.

    P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
    The netfilter documentation itself it pretty thorough, read the Netfilter Howtos, specifically the Networking-Concepts and Packet-Filtering howtos at:
    http://www.netfilter.org/documentati...entation-howto

    I am also presuming you will have a line that reads something akin to:
    IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •