Yes, the ESTABLISHED,RELATED will ensure that ICMP echo-replies will make it back through the f/w.Originally posted here by cacosapo
Basic Netfilter configurations question:
Iwould like to route thru a Linux box and use Netfilter to filter connections. At 1st step i wanna to allow only ftp from "inside" to "outside", so i have writthen the following script:
- im not using NAT at this time
- eth0 is inside and eth1 is outside
[...]
my question is: (assuming that other things are correct):
Will this configuration allow ICMP response messages be forward BACK (outside-->inside) thru firewall? like "destination unreachable" or equivalents?
In your case, it would be flagged as "ESTABLISHED" since you initiated the question, but you are correct, it will forward it back through.I think that it will, since ICMP messages like that will be identified by Netfilter as "RELATED" and will be pass back to client. But i would like you guys, Also sugestions are all ALLWAYS wellcome.
The netfilter documentation itself it pretty thorough, read the Netfilter Howtos, specifically the Networking-Concepts and Packet-Filtering howtos at:P.S. (if you know that there is another thread that had explained to death this subject please let me know - i tried "netfilter icmp related" and other combinations and didnt receive anything that matches to this issue)
http://www.netfilter.org/documentati...entation-howto
I am also presuming you will have a line that reads something akin to:
IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Reply With Quote