Question about Netfilter and Connection tracking
Hey guys,
I'm trying to incorparate connection tracking into my current IPTables
script.
I have created several user-defined chains to grab datagrams from the INPUT
and OUTPUT chains. From there I specifically allow what kind of communication
is allowed on an interface and service basis and then jump un-wanted
communication into a chain which logs and then drops datagrams.
Is connection tracking needed on each individual user-defined chain or would
connection tracking only be required on the INPUT chain?
EX:
#!/bin/sh
# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
iptables -t $t -F
iptables -t $t -X
done
# Set the default policies on the filter table.
for p in INPUT FORWARD OUTPUT; do
iptables -t filter -P $p DROP
done
# Initiate Netfilter connection tracking
iptables -A INPUT -i $EXTIFACE -m state \
--state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ! $EXTIFACE -m state \
--state NEW -j ACCEPT
iptables -A INPUT -i $EXTIFACE -m state \
--state NEW,INVALID -j DROP
# ICMP filters
# create a chain for ICMP datagrams
iptables -N ICMP 2>/dev/null
# Divert all ICMP datagrams on all interfaces into the ICMP chain
iptables -A INPUT --protocol icmp -j ICMP
iptables -A OUTPUT --protocol icmp -j ICMP
# TCP filters
# create a chains TCP datagrams
iptables -N TCPIN 2>/dev/null
# Divert all TCP datagrams on all interfaces into the TCP chain
iptables -A INPUT--protocol tcp -j TCP
iptables -A OUTPUT --protocol tcp -j TCP
etc, etc......
Let's say that this script was complete, and it provided basic functionality
for my network while preventing un-wanted communication. Would connection
tracking still work after a datagram is passed from INPUT chain to the ICMP
or TCP chains?
Thanks,
Stef
Reply to: