Established / related

Established / related

[Peter Marshall]

I was wondering if there is a way to use established, related on a subchain
only.

ex.  ftp server behind firewall

$IPTABLES -A FORWARD -d $IPSERVER -j ftpchain

$IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

This does not seem to work .. It only seems to work when I have the
established,related line on the Forwared chain.

Thanks for the help.
Peter

Re: Established / related

[Antony Stone]

On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:

> I was wondering if there is a way to use established, related on a subchain
> only.
>
> ex.  ftp server behind firewall
>
> $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
>
> $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> This does not seem to work .. It only seems to work when I have the
> established,related line on the Forwared chain.

I really cannot see why this should not do what you want (which presumably is 
to match only established or related packets going to $IPSERVER).

The only thing which looks a little odd to me, which I wonder whether you've 
forgotten, is to make sure there is a rule for the reply packets coming back 
again from $IPSERVER?

If that's not the problem, please give some more details on how you're testing 
it and why you think it doesn't work.

Regards,

Antony.

-- 
"It would appear we have reached the limits of what it is possible to achieve 
with computer technology, although one should be careful with such 
statements; they tend to sound pretty silly in five years."

 - John von Neumann (1949)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Established / related

[Peter Marshall]

shouldn't the reply be taken care of by the established,related rule below ?

(I am probably just missing something blatantly obvious)

Peter

----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Tuesday, June 29, 2004 3:46 PM
Subject: Re: Established / related


On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:

> I was wondering if there is a way to use established, related on a
subchain
> only.
>
> ex.  ftp server behind firewall
>
> $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
>
> $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
>
> This does not seem to work .. It only seems to work when I have the
> established,related line on the Forwared chain.

I really cannot see why this should not do what you want (which presumably
is
to match only established or related packets going to $IPSERVER).

The only thing which looks a little odd to me, which I wonder whether you've
forgotten, is to make sure there is a rule for the reply packets coming back
again from $IPSERVER?

If that's not the problem, please give some more details on how you're
testing
it and why you think it doesn't work.

Regards,

Antony.

-- 
"It would appear we have reached the limits of what it is possible to
achieve
with computer technology, although one should be careful with such
statements; they tend to sound pretty silly in five years."

 - John von Neumann (1949)

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: Established / related

[Antony Stone]

On Tuesday 29 June 2004 8:12 pm, Peter Marshall wrote:

> shouldn't the reply be taken care of by the established,related rule below?

No, because the reply will be coming *from* $IPSERVER, and your rule in the 
FORWARD chain calling the user-defined chain only matches packets with 
$IPSERVER as the destination address.

> (I am probably just missing something blatantly obvious)

Yes, I think so :)

Regards,

Antony.

PS: I've chosen the sig on this response specially for you :)

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: "netfilter" <netfilter@lists.netfilter.org>
> Sent: Tuesday, June 29, 2004 3:46 PM
> Subject: Re: Established / related
>
> On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:
> > I was wondering if there is a way to use established, related on a
>
> subchain
>
> > only.
> >
> > ex.  ftp server behind firewall
> >
> > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
> >
> > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j
>
> ACCEPT
>
> > This does not seem to work .. It only seems to work when I have the
> > established,related line on the Forwared chain.
>
> I really cannot see why this should not do what you want (which presumably
> is
> to match only established or related packets going to $IPSERVER).
>
> The only thing which looks a little odd to me, which I wonder whether
> you've forgotten, is to make sure there is a rule for the reply packets
> coming back again from $IPSERVER?
>
> If that's not the problem, please give some more details on how you're
> testing
> it and why you think it doesn't work.
>
> Regards,
>
> Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Established / related

[Peter Marshall]

Thank you for your help.

Peter


----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Tuesday, June 29, 2004 4:25 PM
Subject: Re: Established / related


On Tuesday 29 June 2004 8:12 pm, Peter Marshall wrote:

> shouldn't the reply be taken care of by the established,related rule
below?

No, because the reply will be coming *from* $IPSERVER, and your rule in the
FORWARD chain calling the user-defined chain only matches packets with
$IPSERVER as the destination address.

> (I am probably just missing something blatantly obvious)

Yes, I think so :)

Regards,

Antony.

PS: I've chosen the sig on this response specially for you :)

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: "netfilter" <netfilter@lists.netfilter.org>
> Sent: Tuesday, June 29, 2004 3:46 PM
> Subject: Re: Established / related
>
> On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:
> > I was wondering if there is a way to use established, related on a
>
> subchain
>
> > only.
> >
> > ex.  ftp server behind firewall
> >
> > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
> >
> > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j
>
> ACCEPT
>
> > This does not seem to work .. It only seems to work when I have the
> > established,related line on the Forwared chain.
>
> I really cannot see why this should not do what you want (which presumably
> is
> to match only established or related packets going to $IPSERVER).
>
> The only thing which looks a little odd to me, which I wonder whether
> you've forgotten, is to make sure there is a rule for the reply packets
> coming back again from $IPSERVER?
>
> If that's not the problem, please give some more details on how you're
> testing
> it and why you think it doesn't work.
>
> Regards,
>
> Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the
list;
                                                           please don't CC
me.