Re: Iptables config

To: debian-security@lists.debian.org
Subject: Re: Iptables config
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Thu, 18 Apr 2002 01:50:38 -0300
Message-id: <[🔎] 20020418015038.C4143@yeti.nslug.ns.ca>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20010920030511.GC609@Osterstein>
References: <[🔎] Pine.OSF.4.21.0204121108010.16570-100000@gram.math.ku.dk> <[🔎] 20020412093709.GD9175@pn66.sdi.poznan.tpnet.pl> <[🔎] 20020417094505.GA3359@erpland> <[🔎] 3CBD57E7.4020204@discon.de> <[🔎] 20020417121549.B4143@yeti.nslug.ns.ca> <[🔎] 20010920030511.GC609@Osterstein>

On Thu, Sep 20, 2001 at 05:05:11AM +0200, Mathias Palm wrote:
> ...
> 
> > 
> >  I use the connection-tracking support, so I can drop everything except
> > traffic related to a connection I opened.  This is what I use (NAT stuff
> > omitted):
> > 
> > 	iptables -t filter -P FORWARD ACCEPT
> > 	iptables -t filter -P INPUT DROP
> > 	iptables -t filter -P OUTPUT ACCEPT
> > 
> > 	modprobe ip_conntrack
> > 	modprobe ip_conntrack_ftp
> > 
> > 	iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from the big bad Internet
> > 	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Sorry, I dont get that. The manpage says:
> 
> ...ESTABLISHED meaning that the
> packet is associated with a  connection  which  has
> seen  packets  in both directions...
>                   ^^^^
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?

 Hmm, maybe the docs are wrong.  --state ESTABLISHED,RELATED is the magic
incantation recommended by the packet-filtering HOWTO.
(file://localhost/usr/share/doc/iptables/html/packet-filtering-HOWTO-5.html)
All I know for sure is that it works.

> Another question: (from the manpage):
> ...RELATED  meaning  that  the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...
> 
> How does iptables find out, that a newly initiated connection is related 
> to another existing one? By process number, by vicinity in time or
> something other? 

 It finds out by looking at the traffic in the connection.  The
ip_conntrack_ftp module has code that understands the FTP protocol, so it
can see when and FTP command which will use a new port is sent.  I hope they
have some kind of optimization, like only looking at port 21 traffic, to
avoid the overhead of trying to parse every TCP stream as FTP commands, but
I don't know.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Iptables config
  - From: Lars Roland Kristiansen <m00lrk@math.ku.dk>
- Re: Iptables config
  - From: Michal Melewski <mike@pn66.poznan.sdi.tpnet.pl>
- Re: Iptables config
  - From: Jussi Ekholm <ekhowl@goa-head.org>
- Re: Iptables config
  - From: "Martin Peikert" <Martin.Peikert@discon.de>
- Re: Iptables config
  - From: Peter Cordes <peter@llama.nslug.ns.ca>
- Re: Iptables config
  - From: Mathias Palm <Mathias.Palm@gmx.net>

Prev by Date: one more iplogger question.
Next by Date: Re: one more iplogger question.
Previous by thread: Re: Iptables config
Next by thread: Re: Iptables config
Index(es):
- Date
- Thread