LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-03-2007, 03:45 AM   #1
farhan
Member
 
Registered: Feb 2003
Distribution: xNIX
Posts: 121

Rep: Reputation: 15
how does IPTABLES -A FORWARD two way traffic without using connection tracking?


Hi


Just a bit confused about the firewall rule. I have gone through iptables documentation and google but unable to find the answer.
It will be highly appreciated if anyone can advise

The scenario is as follows

My pc------------iptables-firewall(Forwarding table)-------------- server

If the default policy for forwarding table is DROP and I add the
following rule, without matching any connection tracking states, NEW,
ESTABLISHED, RELATED

-A FORWARD -d server-ip -j ACCEPT (everything accepted for testing,
without connection tracking)

now I telnet on to the server on port 23 from my-pc. the firewall will
allow the first packet with TCP SYN set. BUT will it allow the
returning packet from the server to my-pc with TCP, SYN and ACK set in it? as
there is no rule in the table as -A FORWARD -s server-ip -j ACCEPT
which will allow returning packet ?


Do I need to add both of above forwarding rules (for two way traffic between my pc and server)or the first will be
enough and it will automatically allow returning packet even though I
haven't explicitly used NEW< ESTABLISHED states etc.
 
Old 09-03-2007, 08:19 AM   #2
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 192

Rep: Reputation: 31
I believe you have to make a rule for established, related connections.
 
Old 09-03-2007, 11:59 AM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Yes, you'd ideally want to do this with a RELATED,ESTABLISHED rule, but since you don't want to use connection tracking for whatever reason, you can imitate the old-school stateless ipchains method with something like:
Code:
iptables -A FORWARD -p TCP -i $WAN -o $LAN -d $SERVER --dport 23 -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN -o $WAN -s $SERVER --sport 23 -j ACCEPT
Remember you'll also need the relevant PREROUTING rule to DNAT the incoming packets, and a POSTROUTING rule to SNAT the outgoing ones.
 
Old 09-05-2007, 03:22 AM   #4
farhan
Member
 
Registered: Feb 2003
Distribution: xNIX
Posts: 121

Original Poster
Rep: Reputation: 15
Thanks mariogarcia and win32sux,

What I understood is, if I am using filtering with connection tracking (NEW, ESTABLISHED< RELATED ) then there is no need to add the rule for returning traffic. Whereas in stateless filtering I need to add two rules for two way traffic. Please confirm if my understanding is correct?
 
Old 09-05-2007, 12:31 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by farhan View Post
What I understood is, if I am using filtering with connection tracking (NEW, ESTABLISHED< RELATED ) then there is no need to add the rule for returning traffic. Whereas in stateless filtering I need to add two rules for two way traffic. Please confirm if my understanding is correct?
Yeah, but if you wanted to be more precise, you could say that when using connection tracking you only need to make special rules allowing the initiation of a connection, and the rest of the packets for that connection (and connections directly related to it) will get handled by the connection tracking.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with connection tracking in IPtables!! vishamr2000 Linux - Security 2 05-09-2007 01:50 PM
How can I forward all traffic to 10.10.0.10:80 to 10.10.0.20:8080 using IPtables? abefroman Linux - Networking 1 10-06-2005 03:19 PM
iptables forward traffic alaios Linux - Networking 1 09-28-2005 04:43 AM
Using IPtables to forward an internet connection... caps_phisto Linux - Networking 1 09-26-2004 01:20 PM
Trying to forward web traffic through firewall w/ IPTABLES ShinySteelRobot Linux - Networking 6 08-17-2003 05:43 PM


All times are GMT -5. The time now is 09:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration