Re: Iptables config
On Thu, Sep 20, 2001 at 05:05:11AM +0200, Mathias Palm wrote:
> > I use the connection-tracking support, so I can drop everything except
> > traffic related to a connection I opened. This is what I use (NAT stuff
> > omitted):
> > iptables -t filter -P FORWARD ACCEPT
> > iptables -t filter -P INPUT DROP
> > iptables -t filter -P OUTPUT ACCEPT
> > modprobe ip_conntrack
> > modprobe ip_conntrack_ftp
> > iptables -A INPUT -i ! eth0 -j ACCEPT # accept everything except from the big bad Internet
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> Sorry, I dont get that. The manpage says:
> ...ESTABLISHED meaning that the
> packet is associated with a connection which has
> seen packets in both directions...
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?
Hmm, maybe the docs are wrong. --state ESTABLISHED,RELATED is the magic
incantation recommended by the packet-filtering HOWTO.
All I know for sure is that it works.
> Another question: (from the manpage):
> ...RELATED meaning that the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...
> How does iptables find out, that a newly initiated connection is related
> to another existing one? By process number, by vicinity in time or
> something other?
It finds out by looking at the traffic in the connection. The
ip_conntrack_ftp module has code that understands the FTP protocol, so it
can see when and FTP command which will use a new port is sent. I hope they
have some kind of optimization, like only looking at port 21 traffic, to
avoid the overhead of trying to parse every TCP stream as FTP commands, but
I don't know.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(firstname.lastname@example.org. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org