"connection tracking" and "Connection state"?

"connection tracking" and "Connection state"?

[SB CH]

Hello, all.

connection tracking(stateful inspection) has a relation with this menu(make 
config)?

"Connection tracking match support"

But when I deselect this menu, I can use connection tracking like 
NEW,ESTABLISHED,RELATED  etc.
I think that only "Connection state match support" menu is required to use 
this function.

then what is the function and meaning of the "Connection tracking match 
support"?


Thanks in advance.



_________________________________________________________________
확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드   
http://www.msn.co.kr/fortune/default.asp  

Re: "connection tracking" and "Connection state"?

[Joel Newkirk]

On Tuesday 01 April 2003 08:18 pm, SB CH wrote:
> Hello, all.
>
> connection tracking(stateful inspection) has a relation with this
> menu(make config)?
>
> "Connection tracking match support"
>
> But when I deselect this menu, I can use connection tracking like
> NEW,ESTABLISHED,RELATED  etc.
> I think that only "Connection state match support" menu is required to
> use this function.
>
> then what is the function and meaning of the "Connection tracking
> match support"?

As I just found out (Thanks Martin Josefsson!) there is available a 
conntrack match.  It lets you match more than the three conntrack states 
you mentioned - you can match conntrack status like ASSURED, SEEN_REPLY, 
etc, as well as 'states' SNAT and DNAT (matches packets which have been 
SNATted or DNATted) and also match the original pre-SNAT/pre-DNAT IPs.

http://netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.3

j

Re: "connection tracking" and "Connection state"?

[Intercom@x]

Hi all,

Is it possible to redirect any url request to another address, from an
internal nat address requesting a valid url to a internal specific address?
Something like  iptables -t nat -A PREROUTING -p tcp -d
192.168.0.0/255.255.0.0 --dport 80 -j DNAT --to-destination 192.168.5.254:80
?

Thanks.

Mauricio S. Mudrik
IT Director
Intercomax - Your Office in Transit
Cybertools - Tools for Cyber Spaces
Aeroshopping.net - The (future) Brazilian Airports Portal Services
55 11 6445-2399 / 2388 / 2622

Re: "connection tracking" and "Connection state"?

[Joel Newkirk]

On Wednesday 02 April 2003 10:33 am, intercomax@yahoo.com.br wrote:
> Hi all,
>
> Is it possible to redirect any url request to another address, from an
> internal nat address requesting a valid url to a internal specific
> address? Something like  iptables -t nat -A PREROUTING -p tcp -d
> 192.168.0.0/255.255.0.0 --dport 80 -j DNAT --to-destination
> 192.168.5.254:80 ?

Yes.  However with your scenario above, if the client making the request 
is in 192.168.0.0/16 then it will connect directly to the host, not 
through the firewall.  If the destinations being redirected are public 
IPs with a local client, and the DNAT target is also local, then it is 
also necessary to add:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.5.254 -j SNAT 
--to {FirewallLocalIP}
So that replies will be sent to the firewall to be unDNATted (and now 
unSNATted) to show the IP the client expects a reply from.

j