From: Jan Humme <jan.humme@xs4all.nl>
To: thingstocome@gmx.net
Cc: netfilter@lists.samba.org
Subject: Re: Re: unexpected problem with DNAT
Date: Wed, 10 Jul 2002 16:26:16 +0200 [thread overview]
Message-ID: <02071016261606.04513@Lms> (raw)
In-Reply-To: <514.1026309831@www1.gmx.net>
On Wednesday 10 July 2002 16:03, thingstocome@gmx.net wrote:
> > I believe it can only be fixed in the filter module somehow, as all
> > packets
> > travel through the filter module. You may insert a rule to the FORWARD
> > chain,
> > to block the FTP-traffic from this IP-address; this should take immediate
> > effect.
> >
> > Jan Humme.
>
> thx for your reply.
>
> hmm if i would attempt to block the packets of the ftp session inside the
> FORWARD chain,
> the destination address would already have changed to an address of LAN_1 (
> because of prerouting).
>
> I think i can't block these packets in the FORWARD chain by checking their
> destination address because as you might remember, SNAT ( masquerading) is
> also used by LAN_1_ADDR,
> so some packets of the masquerading sessions do also have destination
> address LAN_1_ADDR when they pass the forward chain ( because NAT is
> bidirectional), so they would be blocked as well.
>
> do you know what I mean ?
I believe that this is correct.
> i could filter the packets by checking the src address as you suggested,
> but this isnt a good idea in my opinion because the src address varies
> every time and there can also be several hosts from LAN_2 that had accessed
> LAN_1_ADDR at the same time,i would have to manually determinate the
> addresses of all these lan_2 hosts every time, and set the filter rules,
> or is there another possibility?
> Am i thinking in the wrong direction ?
>
> It would be great if there were a possibility to simply wipe the entries of
> connections
> that have been tracked by be conntrack module.
> I think this would be the best solution but i dont know how to do it.
>
> please tell me if i miss the point somewhere.
Well, you can `cat /proc/net/netip_con` to get a list of all connections that
are being tracked by conntrack, and use a simple script to grep/sed/awk what
you need to know in order to wipe the necessary entries.
But it is not clear to me what you try to achieve:
=> are you trying to cut the FTP connection in the middle of a transfer?
=> or are you trying to cut the FTP connection after some timeout?
=> and when a host on LAN2 attempts to setup an FTP-connection, do you
somehow detect this and have iptables jam in a temporary rule?
What I mean is: do you at some point have access to the host's IP-address so
you can use it to remove the (temporary)? Or perhaps schedule a removal for
later (eg. using crontab)?
Jan Humme.
next prev parent reply other threads:[~2002-07-10 14:26 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-10 12:18 unexpected problem with DNAT thingstocome
2002-07-10 12:50 ` Jan Humme
2002-07-10 14:03 ` thingstocome
2002-07-10 14:26 ` Jan Humme [this message]
2002-07-10 14:43 ` Antony Stone
2002-07-10 15:49 ` Jan Humme
2002-07-10 15:55 ` Antony Stone
2002-07-10 16:53 ` Jan Humme
2002-07-10 17:42 ` Antony Stone
2002-07-10 18:15 ` Jan Humme
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=02071016261606.04513@Lms \
--to=jan.humme@xs4all.nl \
--cc=netfilter@lists.samba.org \
--cc=thingstocome@gmx.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.