LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-09-2007, 10:31 PM   #1
attojung
LQ Newbie
 
Registered: Nov 2006
Posts: 3

Rep: Reputation: 0
How to make iptables(NAT) not to send RST back


Hi,

I have some questions about using iptables to make a NAT.
Now my policy is

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISH -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Where eth0 is my internal network and eth1 is external network.

And with this, once my NAT has got unsolicited TCP-SYN, it will reply back with TCP-RST.
Is it possible to make it just drop this SYN without response the RST back ?

Thx
 
Old 01-10-2007, 06:14 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
If this packet was not related to an already MASQUERADEd connection (as I think would be true of all SYN packets), NAT would leave it alone and it would be handled by the INPUT chain. So if you wanted to stealth everything not MASQUERADEd that comes in on eth1, you could

iptables -A INPUT -i eth1 -j DROP

if you wanted to just drop SYN packets, you could

iptables -A INPUT -i eth1 -p tcp --syn -j DROP

or if you had traffic from the local computer you wanted to let back and forth to the internet you could

iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

Of course, there are other variations.

EDIT: If you want to filter NATted traffic, one thing you need to be aware of is that after the initial outgoing packet gets NATted, no other packets for that connection, in either direction, pass through the POSTROUTING chain. So any filtering would have to be done in the FORWARD chain.

Last edited by blackhole54; 01-10-2007 at 06:19 AM.
 
Old 01-10-2007, 07:46 AM   #3
attojung
LQ Newbie
 
Registered: Nov 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Thank you very much,

Actually, I am now testing about NAT Traversal. And lots of techniques that use to punch NAT's hole is not allow to accept RST back because the hole is going to be closed if RST come.

Thx again, I will try to make it as your suggestion
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
qmail behind nat - can get mails but can't send * i googled ehpserver Linux - Networking 1 10-22-2003 08:16 PM
senadmail-behind NAT-can receive-but faild to send mails ehpserver Linux - Networking 0 09-26-2003 11:48 AM
Can send mail out, just can't get any back... debaire Linux - Networking 14 05-22-2003 11:00 PM
Send messages back and forth JCZorch Linux - Networking 4 12-06-2002 03:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration