LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Good Old IPTABLES Question (https://www.linuxquestions.org/questions/linux-networking-3/good-old-iptables-question-3403/)

jrmann1999 06-14-2001 05:45 PM
Well, I'm getting my bearings and have just comprehended the method that packets traverse when in an iptable. My question is now this, how does the ip_conntrack module work. Sure sure I've read related howto/documentation, but it hasn't clarified anything one bit. One bit of example that keeps being repeated is:
# iptables -P INPUT DROP(I know what this does, I just put it for reference)
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

and so forth, my question is, what exacly is this doing? I know it's got something to do with allowing packets that are established or already related to go through the input chain. But what determines an established or related packet? If you could, can you relate it to a masqueraded host. The way I'm picturing it, my Win2k box tries to establish a connection to some outside ftp site(example only) through the firewall, the firewall(with a default policy of drop all packets on input) recognizes that a connection was made behind it and then allows the packet?

My question now is, how can I adapt this to allow incoming connections behind my firewall(more specifically for DCC). I know this could start a whole other thread, but everything I read that's recent says that conntrack is used for incoming DCC requests.

Thanks
J

rebby 06-20-2001 08:12 AM
the conntrack module does just that... track connections... your linux box keeps track of all connections so that it can determine what ones are related and makes it EXTABLISHED,RELATED decision based on taht... you may want to do a little bit of reseach of stateful firewalls (ie: checkpoint). that might give you some further insight not covered in linux docs...

raz 06-20-2001 09:59 AM
It's a mix of both connection related connections and ACK SYN TCP flag settings.

Let me explain: :jawa:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule checks the incoming tcp packets state is ESTABLISHED, So the incoming packet must not be the first packet to make the connection to your firewall "this means it has a ACK flag set and not a SYN ACK flag"

If it was the first host to make the connection then a SYN ACK flag would be set in the packet, meaning some server started the connection to yours first. "not what you want if your a firewall, ok if it's to your webserver"

So the TCP handshake that's come back once you started the connection, doesn't have the SYN flag set so the -state ESTABLISHED option tells it to accept the packet and forward it to the input chain, which forwards it to requesting IP from the Network address translation table.

You can still switch of the SYN flag and spoof firewalls to allowing them to accept the packet, but the ip_conntrack backups the -state ESTABLISHED by checking if this is true.

Hope that helps.
/Raz


All times are GMT -5. The time now is 11:52 PM.