Re: Problems with a forward rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Mon, May 14, 2012 at 9:26 AM, Neal Murphy <neal.p.murphy@xxxxxxxxxxxx> wrote:
> On Monday 14 May 2012 01:45:21 you wrote:
>> Ok, here they are. I want to allow connections from host
>> to one specific network only.
> As written, your rules
>  1. Allow all packets for established conns and the first packet for related
>     conns to pass.
>  2. Allow all packets for new conns from the host to pass
>  3. Drop all other packets. This makes the first rule moot, because there
>     will be no established conns from other hosts. NEW packets are dropped,
>     thus there cannot be any established conns for a related connection to
>     be created.
> But I suspect you already know your rules don't work right. :)
> I only looked at the rules in table 'filter'.

Sorry Neal, but exists some things in your answer that I don't understand ...

In line:
> To restrict that host to a particular LAN and allow other hosts through, these
> rules in table 'filter':
> -A FORWARD -s -m state --state NEW -j ACCEPT
> -A FORWARD -j LOG --log-prefix "IPT FORWARD packet died: "
> should be:
> -A FORWARD -s -d a.b.c.d/netmask \

Why this rule??:

> -A FORWARD -s a.b.c.d/netmask -d \
>  -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s \
>  -j LOG --log-prefix "FORWARD dropped packet from "

Why this rule??: by default all is denied if it is not exists an
established and related connection.

> -A FORWARD -d \
>  -j LOG --log-prefix "FORWARD dropped packet to "

Why this rule??:

I only want to allow related and established connections ... not new
if it is not explicit allowed.

> Rule order is important. Thus,
>  1. Packets from the host to that LAN that are for (1) a new or a
>     new/related conn, and (2) all packets for established conns,
>     are allowed.
>  2. Packets to the host from that LAN for (1) a new/related conn
>     or (2) for established conns are allowed.
>  3. All other packets forwarded to or from that host are dropped.
>  4. All other forwarded packets are allowed.
>  5. The FORWARD chain's DROP policy is never executed. See #5 (above).
>  6. The host is still allowed to access all other hosts on its LAN; the
>     router has no control over that.
> Since no protocols are specified, ICMP will also be allowed.
> Remember that:
>  - Without ICMP, your internetwork will not function.

Sorry?? Why?? I administer a lot of chkps and bds fws and ALL had icmp
denied by default (with some exceptions), and it works ok ...

>  - A 'conn' is a relation between two socket endpoints, be it TCP, UDP
>    or another protocol.
>  - NEW refers to the *first* packet of a new conn.
>  - RELATED refers to the *first* packet of a new, related conn.
>  - ESTABLISHED refers to all other packets of established conns,
>    whether they started as NEW or as RELATED.
>  - the RELATED state is set by a conntrack helper (FTP, etc.) that
>    snoops and detects when one end of an established conn is attempting
>    to open a new conn (such as FTP's data channel).
>  - You may want to allow DNS (UDP port 53) to pass (if needed), depending
>    on where your DNS server or 'proxy' is.
>  - You may want to add rules to INPUT and OUTPUT to prevent that host
>    from accessing the router itself, if desired.

But according to my default policy, all that it is not allowed is
denied ... Your answers are redundant with my default policy ...
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux