[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Question about Netfilter and Connection tracking

I sent this e-mail on the firewall list but got no replys, maybe some of the 
people here on the security lists can offer me some insight?

I would greatly appreciate it, 


----------  Forwarded Message  ----------
Subject: Question about Netfilter and Connection tracking
Date: Thu, 30 Aug 2001 04:40:35 -0600
From: Stefan Srdic <linuxbox@telusplanet.net>
To: debian-firewall@lists.debian.org

Hey guys,

	I'm  trying to incorparate connection tracking into my current IPTables

I have created several user-defined chains to grab datagrams from the INPUT
and OUTPUT chains. From there I specifically allow what kind of communication
is allowed on an interface and service basis and then jump un-wanted
communication into a chain which logs and then drops datagrams.

Is connection tracking needed on each individual user-defined chain or would
connection tracking only be required on the INPUT chain?

# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
    iptables -t $t -F
    iptables -t $t -X

# Set the default policies on the filter table.
    iptables -t filter -P $p DROP

# Initiate Netfilter connection tracking
iptables -A INPUT -i $EXTIFACE -m state \
iptables -A INPUT -i ! $EXTIFACE -m state \
    --state NEW -j ACCEPT
iptables -A INPUT -i $EXTIFACE -m state \
    --state NEW,INVALID -j DROP

# ICMP filters
# create a chain for ICMP datagrams
iptables -N ICMP 2>/dev/null

# Divert all ICMP datagrams on all interfaces into the ICMP chain
iptables -A INPUT --protocol icmp -j ICMP
iptables -A OUTPUT --protocol icmp -j ICMP

# TCP filters
# create a chains TCP datagrams
iptables -N TCPIN 2>/dev/null

# Divert all TCP datagrams on all interfaces into the TCP chain
iptables -A INPUT--protocol tcp -j TCP
iptables -A OUTPUT --protocol tcp -j TCP

etc, etc......

Let's say that this script was complete, and it provided basic functionality
for my network while preventing un-wanted communication. Would connection
tracking still work after a datagram is passed from INPUT chain to the ICMP
or TCP chains?



To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Reply to: