* Purely NAT
@ 2002-10-28 5:32 Jet (jchan@trusecure.com)
2002-10-28 14:44 ` Antony Stone
2002-10-29 4:43 ` Alexey Talikov
0 siblings, 2 replies; 7+ messages in thread
From: Jet (jchan@trusecure.com) @ 2002-10-28 5:32 UTC (permalink / raw)
To: netfilter@lists
Hi all,
This is my first post to the list, so please bare with me.
I have a requirement here. Is there possible to create a purely NAT iptables
rules for certain IP addresses?
What I means here is I want to enable stateful filtering for most of the all
of the users except certain IP address/subnet. Stateful filtering is good
sometime, bu not all the time, when you really want to do portscaning
activities from a machine that sit behind the firewall.
Any idea.
.//Jet
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Purely NAT
2002-10-28 5:32 Purely NAT Jet (jchan@trusecure.com)
@ 2002-10-28 14:44 ` Antony Stone
2002-10-28 18:37 ` Anthony Liu
2002-10-29 2:18 ` Jet (jchan@trusecure.com)
2002-10-29 4:43 ` Alexey Talikov
1 sibling, 2 replies; 7+ messages in thread
From: Antony Stone @ 2002-10-28 14:44 UTC (permalink / raw)
To: netfilter@lists
On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote:
> Hi all,
>
> This is my first post to the list, so please bare with me.
> I have a requirement here. Is there possible to create a purely NAT
> iptables rules for certain IP addresses?
No. You can turn off stateful inspection by not loading or compiling the
connection tracking support, but you cannot use it for some addresses but not
others.
> What I means here is I want to enable stateful filtering for most of the
> all of the users except certain IP address/subnet. Stateful filtering is
> good sometime, bu not all the time, when you really want to do portscaning
> activities from a machine that sit behind the firewall.
How much memory is in the netfilter machine / what size is your conntrack
table / how many connections are you generating with your portscans for this
to be a problem ?
Maybe it would help if you compile conntrack as a module and then you can
unload it when you want to empty the connection tracking table ? (This will
unload *all* the entries at the same time, though).
Antony.
--
The first ninety percent of an engineering project takes ninety percent
of the time, and the last ten percent takes the remaining ninety percent.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Purely NAT
2002-10-28 14:44 ` Antony Stone
@ 2002-10-28 18:37 ` Anthony Liu
2002-10-28 18:43 ` Antony Stone
2002-10-29 2:18 ` Jet (jchan@trusecure.com)
1 sibling, 1 reply; 7+ messages in thread
From: Anthony Liu @ 2002-10-28 18:37 UTC (permalink / raw)
To: Antony Stone; +Cc: Netfilter Mailing List
On Mon, 28 Oct 2002 14:44:43 +0000 Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote:
>
> > Hi all,
> >
> > This is my first post to the list, so please bare with me.
> > I have a requirement here. Is there possible to create a purely NAT
> > iptables rules for certain IP addresses?
>
> No. You can turn off stateful inspection by not loading or compiling the
> connection tracking support, but you cannot use it for some addresses but not
> others.
Are you sure? By not using "-m state" it might actually work, how about:
iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.eee -j ACCEPT
iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.ddd -m state --state ! INVALID -j ACCEPT
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Purely NAT
2002-10-28 18:37 ` Anthony Liu
@ 2002-10-28 18:43 ` Antony Stone
0 siblings, 0 replies; 7+ messages in thread
From: Antony Stone @ 2002-10-28 18:43 UTC (permalink / raw)
To: Netfilter Mailing List
On Monday 28 October 2002 6:37 pm, Anthony Liu wrote:
> On Mon, 28 Oct 2002 14:44:43 +0000 Antony Stone
<Antony@Soft-Solutions.co.uk> wrote:
> > On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote:
> > > Hi all,
> > >
> > > This is my first post to the list, so please bare with me.
> > > I have a requirement here. Is there possible to create a purely NAT
> > > iptables rules for certain IP addresses?
> >
> > No. You can turn off stateful inspection by not loading or compiling
> > the connection tracking support, but you cannot use it for some addresses
> > but not others.
>
> Are you sure? By not using "-m state" it might actually work, how about:
> iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.eee -j ACCEPT
> iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.ddd -m state --state ! INVALID
> -j ACCEPT
This will allow you to create rules which do not refer to stateful
inspection, agreed, but it doesn't stop netfilter from maintaining the
connection tracking table for those connections.
Since the original poster wanted to increase the efficiency of netfilter by
avoiding the overhead of maintaining the connection tracking table, simply
writing rules which do not use -m state doesn't help.
Antony.
--
The difference between theory and practice is that
in theory there is no difference, whereas in practice there is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Purely NAT
2002-10-28 14:44 ` Antony Stone
2002-10-28 18:37 ` Anthony Liu
@ 2002-10-29 2:18 ` Jet (jchan@trusecure.com)
1 sibling, 0 replies; 7+ messages in thread
From: Jet (jchan@trusecure.com) @ 2002-10-29 2:18 UTC (permalink / raw)
To: Antony Stone, netfilter@lists
>
> How much memory is in the netfilter machine / what size is your conntrack
> table / how many connections are you generating with your portscans for
this
> to be a problem ?
This is not a matter of the number of connection generated by the
portscanner.
But the type of scanning option.
If you turn on stateful filtering, and you try to scan a class B (or
multiple class C) address
using "nmap -sS", then you are in trouble.
According to iptables source code, you will have to wait for five days for
timeout.
FYI, my machine is 64MB and I know it is default to 4K connection. I tried
to increase it
to 64K, and I get other process being killed (the OOM bug), sometime the
machine hang.
This is kernel-2.4.18.
Even I put in more RAM let say 512MB/1GB. The maximum of the connection
table is
only 64K. (Correct me if I'm wrong).
I point here is any iptables with 64K limitation on connection table can be
easily
DOS by a scanning (using the either "nmap -sS" or "nmap -sA" ).
.//Jet
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Purely NAT
2002-10-28 5:32 Purely NAT Jet (jchan@trusecure.com)
2002-10-28 14:44 ` Antony Stone
@ 2002-10-29 4:43 ` Alexey Talikov
2002-10-29 5:26 ` Jet
1 sibling, 1 reply; 7+ messages in thread
From: Alexey Talikov @ 2002-10-29 4:43 UTC (permalink / raw)
To: Jet (jchan@trusecure.com); +Cc: netfilter, netfilter
Hello Jet,
See raw patch from patch-o-matic in userspase directory
-----------------------------------
mailto:alexey_talikov@texlab.com.uz
BR
Alexey Talikov
FORTEK
-----------------------------------
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2002-10-29 5:26 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-28 5:32 Purely NAT Jet (jchan@trusecure.com)
2002-10-28 14:44 ` Antony Stone
2002-10-28 18:37 ` Anthony Liu
2002-10-28 18:43 ` Antony Stone
2002-10-29 2:18 ` Jet (jchan@trusecure.com)
2002-10-29 4:43 ` Alexey Talikov
2002-10-29 5:26 ` Jet
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.