Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 06-14-2001, 05:45 PM   #1
Registered: Feb 2001
Location: Texas
Distribution: Slackware, Mandrake, LFS
Posts: 306

Rep: Reputation: 30

Well, I'm getting my bearings and have just comprehended the method that packets traverse when in an iptable. My question is now this, how does the ip_conntrack module work. Sure sure I've read related howto/documentation, but it hasn't clarified anything one bit. One bit of example that keeps being repeated is:
# iptables -P INPUT DROP(I know what this does, I just put it for reference)
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

and so forth, my question is, what exacly is this doing? I know it's got something to do with allowing packets that are established or already related to go through the input chain. But what determines an established or related packet? If you could, can you relate it to a masqueraded host. The way I'm picturing it, my Win2k box tries to establish a connection to some outside ftp site(example only) through the firewall, the firewall(with a default policy of drop all packets on input) recognizes that a connection was made behind it and then allows the packet?

My question now is, how can I adapt this to allow incoming connections behind my firewall(more specifically for DCC). I know this could start a whole other thread, but everything I read that's recent says that conntrack is used for incoming DCC requests.

Old 06-20-2001, 08:12 AM   #2
LQ Newbie
Registered: Apr 2001
Location: Hugo, MN
Distribution: Slackware, RedHat
Posts: 24

Rep: Reputation: 15
the conntrack module does just that... track connections... your linux box keeps track of all connections so that it can determine what ones are related and makes it EXTABLISHED,RELATED decision based on taht... you may want to do a little bit of reseach of stateful firewalls (ie: checkpoint). that might give you some further insight not covered in linux docs...
Old 06-20-2001, 09:59 AM   #3
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
It's a mix of both connection related connections and ACK SYN TCP flag settings.

Let me explain:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule checks the incoming tcp packets state is ESTABLISHED, So the incoming packet must not be the first packet to make the connection to your firewall "this means it has a ACK flag set and not a SYN ACK flag"

If it was the first host to make the connection then a SYN ACK flag would be set in the packet, meaning some server started the connection to yours first. "not what you want if your a firewall, ok if it's to your webserver"

So the TCP handshake that's come back once you started the connection, doesn't have the SYN flag set so the -state ESTABLISHED option tells it to accept the packet and forward it to the input chain, which forwards it to requesting IP from the Network address translation table.

You can still switch of the SYN flag and spoof firewalls to allowing them to accept the packet, but the ip_conntrack backups the -state ESTABLISHED by checking if this is true.

Hope that helps.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables good practice - 2 questions ddaas Linux - Security 1 05-31-2005 07:09 AM
Is this good iptables practice ? michaelsanford Linux - Security 1 05-21-2005 09:32 PM
IPTABLES Firewall (Good enough????) wardialer Linux - Security 10 03-01-2005 09:29 AM
I've got a good question Wavz Linux - Hardware 8 10-18-2004 02:32 PM
looking for a good front end for iptables citrus Linux - Networking 2 09-20-2004 12:15 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:23 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration