[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NetFilter connection tracking

> > ports you want. Only associated packets will be accepted IN.
> Thanks for the feedback.  All I am still a little worried about is what
> are associated packets, I guess.  So suppose I initiate a non-anonymous
> FTP session, I've seen that generate ident packets.  Are these
> associated?  Similar worries about other protocols.
Ident/Auth (same thing) connections are normal when a FTP (or IRC or MANY
things) make a connection....

I.e. when connected to remote ftp server -- the ftp server may CONNECT
BACK to your IP address/machine on the ident/auth "113" port and attempt
to request the username using the client/program... This is quite normal
and non-harmful...

You must at least allow 'returned' connection on port 113 to be refused
with TCP RESET using target 'REJECT' and "--reject-with tcp-reset" in
iptables somewhere...  You can of course run a safe identd and allow
connections to that identd.

I know a "nathost.[domain].[domain].ac.uk" machine that acts as a
single IP address 'NAT' host -- taking connections leaving that
institution -- seems to 'DROP' connection packets aimed at most ports on
it -- BUT -- sends back a TCP RESET in response to connection packet going
to the auth/ident (113) port on that 'nathost' machine.

If you DROP packets coming to ident port on your machine -- you may find
some telnet/smtp/ftp/irc/other sessions from that machine take a long
time to give login-prompt / work (or not work at all) as the remote server
you connect to is trying, trying, trying, to connect back to your port 113
(auth/ident port) and ... eventually times out -- you should either accept
this connection or refuse it properly.

I wonder if iptables 'related' matches returned ident connections and/or
can forward ident connection to machine that actually originated outgoing
connection instead of only recieving ident connection on
iptables/netfilter machine itself.


Reply to: