LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   how does IPTABLES -A FORWARD two way traffic without using connection tracking? (https://www.linuxquestions.org/questions/linux-security-4/how-does-iptables-a-forward-two-way-traffic-without-using-connection-tracking-581800/)

farhan 09-03-2007 03:45 AM

how does IPTABLES -A FORWARD two way traffic without using connection tracking?
 
Hi


Just a bit confused about the firewall rule. I have gone through iptables documentation and google but unable to find the answer.
It will be highly appreciated if anyone can advise

The scenario is as follows

My pc------------iptables-firewall(Forwarding table)-------------- server

If the default policy for forwarding table is DROP and I add the
following rule, without matching any connection tracking states, NEW,
ESTABLISHED, RELATED

-A FORWARD -d server-ip -j ACCEPT (everything accepted for testing,
without connection tracking)

now I telnet on to the server on port 23 from my-pc. the firewall will
allow the first packet with TCP SYN set. BUT will it allow the
returning packet from the server to my-pc with TCP, SYN and ACK set in it? as
there is no rule in the table as -A FORWARD -s server-ip -j ACCEPT
which will allow returning packet ?


Do I need to add both of above forwarding rules (for two way traffic between my pc and server)or the first will be
enough and it will automatically allow returning packet even though I
haven't explicitly used NEW< ESTABLISHED states etc.

mariogarcia 09-03-2007 08:19 AM

I believe you have to make a rule for established, related connections.

win32sux 09-03-2007 11:59 AM

Yes, you'd ideally want to do this with a RELATED,ESTABLISHED rule, but since you don't want to use connection tracking for whatever reason, you can imitate the old-school stateless ipchains method with something like:
Code:

iptables -A FORWARD -p TCP -i $WAN -o $LAN -d $SERVER --dport 23 -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN -o $WAN -s $SERVER --sport 23 -j ACCEPT

Remember you'll also need the relevant PREROUTING rule to DNAT the incoming packets, and a POSTROUTING rule to SNAT the outgoing ones.

farhan 09-05-2007 03:22 AM

Thanks mariogarcia and win32sux,

What I understood is, if I am using filtering with connection tracking (NEW, ESTABLISHED< RELATED ) then there is no need to add the rule for returning traffic. Whereas in stateless filtering I need to add two rules for two way traffic. Please confirm if my understanding is correct?

win32sux 09-05-2007 12:31 PM

Quote:

Originally Posted by farhan (Post 2881697)
What I understood is, if I am using filtering with connection tracking (NEW, ESTABLISHED< RELATED ) then there is no need to add the rule for returning traffic. Whereas in stateless filtering I need to add two rules for two way traffic. Please confirm if my understanding is correct?

Yeah, but if you wanted to be more precise, you could say that when using connection tracking you only need to make special rules allowing the initiation of a connection, and the rest of the packets for that connection (and connections directly related to it) will get handled by the connection tracking.


All times are GMT -5. The time now is 12:52 AM.