Question about Netfilter and Connection tracking

To: debian-security@lists.debian.org
Subject: Question about Netfilter and Connection tracking
From: Stefan Srdic <linuxbox@telusplanet.net>
Date: Sun, 2 Sep 2001 07:13:55 -0600
Message-id: <[🔎] 01090207135501.00691@NodeFilter>

I sent this e-mail on the firewall list but got no replys, maybe some of the 
people here on the security lists can offer me some insight?

I would greatly appreciate it, 

Stef

----------  Forwarded Message  ----------
Subject: Question about Netfilter and Connection tracking
Date: Thu, 30 Aug 2001 04:40:35 -0600
From: Stefan Srdic <linuxbox@telusplanet.net>
To: debian-firewall@lists.debian.org

Hey guys,

	I'm  trying to incorparate connection tracking into my current IPTables
script.

I have created several user-defined chains to grab datagrams from the INPUT
and OUTPUT chains. From there I specifically allow what kind of communication
is allowed on an interface and service basis and then jump un-wanted
communication into a chain which logs and then drops datagrams.

Is connection tracking needed on each individual user-defined chain or would
connection tracking only be required on the INPUT chain?

EX:
#!/bin/sh
# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
    iptables -t $t -F
    iptables -t $t -X
done

# Set the default policies on the filter table.
for p in INPUT FORWARD OUTPUT; do
    iptables -t filter -P $p DROP
done

# Initiate Netfilter connection tracking
iptables -A INPUT -i $EXTIFACE -m state \
    --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ! $EXTIFACE -m state \
    --state NEW -j ACCEPT
iptables -A INPUT -i $EXTIFACE -m state \
    --state NEW,INVALID -j DROP

# ICMP filters
# create a chain for ICMP datagrams
iptables -N ICMP 2>/dev/null

# Divert all ICMP datagrams on all interfaces into the ICMP chain
iptables -A INPUT --protocol icmp -j ICMP
iptables -A OUTPUT --protocol icmp -j ICMP

# TCP filters
# create a chains TCP datagrams
iptables -N TCPIN 2>/dev/null

# Divert all TCP datagrams on all interfaces into the TCP chain
iptables -A INPUT--protocol tcp -j TCP
iptables -A OUTPUT --protocol tcp -j TCP

etc, etc......

Let's say that this script was complete, and it provided basic functionality
for my network while preventing un-wanted communication. Would connection
tracking still work after a datagram is passed from INPUT chain to the ICMP
or TCP chains?

	Thanks,

	Stef

--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-------------------------------------------------------

Reply to:

Prev by Date: Re: That "Layne" incident (possibly useful information, not just whining!)
Next by Date: Re: That "Layne" incident (possibly useful information, not just whining!)
Previous by thread: Re: re Layne incident
Next by thread: Sendmail patches in work?
Index(es):
- Date
- Thread