* FORWARD rules
@ 2003-09-10 17:52 Payal Rathod
2003-09-10 18:44 ` Ramin Dousti
` (2 more replies)
0 siblings, 3 replies; 21+ messages in thread
From: Payal Rathod @ 2003-09-10 17:52 UTC (permalink / raw)
To: netfilter
Hi,
I had kept the default policy of FORWARD as drop.
Now, I wanted to see an internal machine from internet. So, I used
DNAT as,
iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
It didn't work. When I set the default FORWARD policy to ACCEPT it
worked.
What is a better approach? I want to have a default DROP in FORWARD
chain. My FORWARD chain looked like this,
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
What more do I add to allow natting as well as a secure FORWARD policy?
Is the position of ESTABLISHED rule ok?
Thanks a lot for the help in advance and waiting eagerly for the mails.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: FORWARD rules
2003-09-10 17:52 FORWARD rules Payal Rathod
@ 2003-09-10 18:44 ` Ramin Dousti
2003-09-11 2:15 ` netfilter
2003-09-10 18:47 ` Vladimir Potapov
2003-09-11 6:09 ` Vishwanatn T. K.
2 siblings, 1 reply; 21+ messages in thread
From: Ramin Dousti @ 2003-09-10 18:44 UTC (permalink / raw)
To: netfilter
On Wed, Sep 10, 2003 at 11:22:53PM +0530, Payal Rathod wrote:
> Hi,
> I had kept the default policy of FORWARD as drop.
> Now, I wanted to see an internal machine from internet. So, I used
> DNAT as,
>
> iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
> It didn't work. When I set the default FORWARD policy to ACCEPT it
> worked.
>
> What is a better approach? I want to have a default DROP in FORWARD
> chain. My FORWARD chain looked like this,
Keep the default "DROP" policy and just open whatever is needed
including the DNAT'ed packets coming in.
The place of the ESTABLISHED,RELATED rule should be at the top of
your rule set.
Ramin
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-10 18:44 ` Ramin Dousti
@ 2003-09-11 2:15 ` netfilter
0 siblings, 0 replies; 21+ messages in thread
From: netfilter @ 2003-09-11 2:15 UTC (permalink / raw)
To: Ramin Dousti; +Cc: netfilter
On Wed, Sep 10, 2003 at 02:44:30PM -0400, Ramin Dousti wrote:
> On Wed, Sep 10, 2003 at 11:22:53PM +0530, Payal Rathod wrote:
>
> Keep the default "DROP" policy and just open whatever is needed
> including the DNAT'ed packets coming in.
Please explain in a bit more detail relating to my data. Will keeping
the ESTABLISHED,RELATED rule at top and putting default DROP policy set
it right?
Thanks a lot and waiting for the reply.
With warm regards,
-Payal
> The place of the ESTABLISHED,RELATED rule should be at the top of
> your rule set.
>
> Ramin
>
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 21+ messages in thread
* RE: FORWARD rules
2003-09-10 17:52 FORWARD rules Payal Rathod
2003-09-10 18:44 ` Ramin Dousti
@ 2003-09-10 18:47 ` Vladimir Potapov
2003-09-11 6:09 ` Vishwanatn T. K.
2 siblings, 0 replies; 21+ messages in thread
From: Vladimir Potapov @ 2003-09-10 18:47 UTC (permalink / raw)
To: Payal Rathod; +Cc: Netfilter
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
What more do I add to allow natting as well as a secure FORWARD policy?
Is the position of ESTABLISHED rule ok?
You need to add a chains for NEW packets with tcp-flags syn.You need replace
from console :
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
to
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p tcp -m tcp --dport
53 --syn -j ACCEPT
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p udp -m udp --dport
53 -j ACCEPT
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p tcp -m tcp --dport
80 --syn -j ACCEPT
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p tcp -m tcp --dport
110 --syn -j ACCEPT
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-10 17:52 FORWARD rules Payal Rathod
2003-09-10 18:44 ` Ramin Dousti
2003-09-10 18:47 ` Vladimir Potapov
@ 2003-09-11 6:09 ` Vishwanatn T. K.
2003-09-12 10:09 ` Payal Rathod
2003-09-12 10:35 ` Cedric Blancher
2 siblings, 2 replies; 21+ messages in thread
From: Vishwanatn T. K. @ 2003-09-11 6:09 UTC (permalink / raw)
To: Payal Rathod; +Cc: netfilter
On Wed, 2003-09-10 at 17:52, Payal Rathod wrote:
> Hi,
> I had kept the default policy of FORWARD as drop.
> Now, I wanted to see an internal machine from internet. So, I used
> DNAT as,
>
> iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
> It didn't work. When I set the default FORWARD policy to ACCEPT it
> worked.
>
> What is a better approach? I want to have a default DROP in FORWARD
> chain. My FORWARD chain looked like this,
>
>
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> What more do I add to allow natting as well as a secure FORWARD policy?
> Is the position of ESTABLISHED rule ok?
>
You need to add NEW state in the above FORWARD rule for this to work.
$IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> Thanks a lot for the help in advance and waiting eagerly for the mails.
> With warm regards,
> -Payal
Vishwanath
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-11 6:09 ` Vishwanatn T. K.
@ 2003-09-12 10:09 ` Payal Rathod
2003-09-12 10:45 ` Cedric Blancher
2003-09-12 10:35 ` Cedric Blancher
1 sibling, 1 reply; 21+ messages in thread
From: Payal Rathod @ 2003-09-12 10:09 UTC (permalink / raw)
To: Vishwanatn T. K.; +Cc: netfilter
On Thu, Sep 11, 2003 at 06:09:29AM +0000, Vishwanatn T. K. wrote:
> > $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > What more do I add to allow natting as well as a secure FORWARD policy?
> > Is the position of ESTABLISHED rule ok?
> >
>
> You need to add NEW state in the above FORWARD rule for this to work.
>
> $IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Just confirming this from all. Please check whether this is ok.
$IPTABLES -I PREROUTING -t nat -p tcp -d 202.x.x.x -j DNAT --to 125.125.125.2
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P FORWARD ACCEPT
^^^^^^
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Can I now change the ACCEPT statement to DROP without any fear?
Thanks a lot in advance and bye.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-12 10:09 ` Payal Rathod
@ 2003-09-12 10:45 ` Cedric Blancher
2003-09-12 14:36 ` Arnt Karlsen
0 siblings, 1 reply; 21+ messages in thread
From: Cedric Blancher @ 2003-09-12 10:45 UTC (permalink / raw)
To: Payal Rathod; +Cc: Vishwanatn T. K., netfilter
Le ven 12/09/2003 à 12:09, Payal Rathod a écrit :
> Just confirming this from all. Please check whether this is ok.
[...]
> $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
With this rule, you will just accept anything, except INVALID packets
that are quite uncommon (very most of them are ICMP).
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
Thoses rules won't get reached, as first one accept all packets. You
should consider this instead :
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \
-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 110 -j ACCEPT
Keeping ESTABLISHED,RELATED rule at top of ruleset is an optimization,
as most packet you will receive will have ESTABLISHED state. It's better
to treat them early so they don't go through the whole chain.
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> $IPTABLES -P FORWARD ACCEPT
> ^^^^^^
> $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Same than below. It's about the same than an policy set to ACCEPT...
> Can I now change the ACCEPT statement to DROP without any fear?
Sure.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-12 10:45 ` Cedric Blancher
@ 2003-09-12 14:36 ` Arnt Karlsen
2003-09-12 14:51 ` Cedric Blancher
0 siblings, 1 reply; 21+ messages in thread
From: Arnt Karlsen @ 2003-09-12 14:36 UTC (permalink / raw)
To: netfilter
On Fri, 12 Sep 2003 12:45:34 +0200,
Cedric Blancher <blancher@cartel-securite.fr> wrote in message
<1063363533.879.52.camel@elendil.intranet.cartel-securite.net>:
> > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
..lose "NEW".
> > -j ACCEPT
>
> Same than below. It's about the same than an policy set to ACCEPT...
>
> > Can I now change the ACCEPT statement to DROP without any fear?
>
> Sure.
>
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-12 14:36 ` Arnt Karlsen
@ 2003-09-12 14:51 ` Cedric Blancher
2003-09-12 18:14 ` Arnt Karlsen
0 siblings, 1 reply; 21+ messages in thread
From: Cedric Blancher @ 2003-09-12 14:51 UTC (permalink / raw)
To: Arnt Karlsen; +Cc: netfilter
Le ven 12/09/2003 à 16:36, Arnt Karlsen a écrit :
> On Fri, 12 Sep 2003 12:45:34 +0200,
> Cedric Blancher <blancher@cartel-securite.fr> wrote in message
> > > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
> ..lose "NEW".
Just what I said, wasn't it ?
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-12 14:51 ` Cedric Blancher
@ 2003-09-12 18:14 ` Arnt Karlsen
2003-09-13 2:26 ` Payal Rathod
0 siblings, 1 reply; 21+ messages in thread
From: Arnt Karlsen @ 2003-09-12 18:14 UTC (permalink / raw)
To: Cedric Blancher; +Cc: netfilter
On Fri, 12 Sep 2003 16:51:41 +0200,
Cedric Blancher <blancher@cartel-securite.fr> wrote in message
<1063378301.888.66.camel@elendil.intranet.cartel-securite.net>:
> Le ven 12/09/2003 à 16:36, Arnt Karlsen a écrit :
> > On Fri, 12 Sep 2003 12:45:34 +0200,
> > Cedric Blancher <blancher@cartel-securite.fr> wrote in message
> > > > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
> > ..lose "NEW".
>
> Just what I said, wasn't it ?
..nah, but you probably _meant_ it. ;-)
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-12 18:14 ` Arnt Karlsen
@ 2003-09-13 2:26 ` Payal Rathod
2003-09-13 6:42 ` Arnt Karlsen
0 siblings, 1 reply; 21+ messages in thread
From: Payal Rathod @ 2003-09-13 2:26 UTC (permalink / raw)
To: netfilter
On Fri, Sep 12, 2003 at 08:14:25PM +0200, Arnt Karlsen wrote:
> On Fri, 12 Sep 2003 16:51:41 +0200,
> > > ..lose "NEW".
> >
> > Just what I said, wasn't it ?
>
> ..nah, but you probably _meant_ it. ;-)
I think he said it :). Look below.
| $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
| $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
| -m tcp --dport 53 -j ACCEPT
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-13 2:26 ` Payal Rathod
@ 2003-09-13 6:42 ` Arnt Karlsen
2003-09-15 7:56 ` Cedric Blancher
0 siblings, 1 reply; 21+ messages in thread
From: Arnt Karlsen @ 2003-09-13 6:42 UTC (permalink / raw)
To: netfilter
On Sat, 13 Sep 2003 07:56:58 +0530,
Payal Rathod <payal-iptables@staticky.com> wrote in message
<20030913022658.GD1667@linux.local>:
> On Fri, Sep 12, 2003 at 08:14:25PM +0200, Arnt Karlsen wrote:
> > On Fri, 12 Sep 2003 16:51:41 +0200,
> > > > ..lose "NEW".
> > >
> > > Just what I said, wasn't it ?
> >
> > ..nah, but you probably _meant_ it. ;-)
>
> I think he said it :). Look below.
>
>
> | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> | $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp
> | \ -m tcp --dport 53 -j ACCEPT
>
> -Payal
..wrong snippet. ;-) Reread the thread, and you'll see both I
and Cedric weren't to clear on that we meant to say, we _implied_
things instead of actually _saying_ them, I snipped to hard and
lost Cedric, and added to the confusion. I'm talking about the
"NEW" under this bit:
" > $IPTABLES -P FORWARD ACCEPT
> ^^^^^^ ".
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-13 6:42 ` Arnt Karlsen
@ 2003-09-15 7:56 ` Cedric Blancher
2003-09-15 16:32 ` Arnt Karlsen
0 siblings, 1 reply; 21+ messages in thread
From: Cedric Blancher @ 2003-09-15 7:56 UTC (permalink / raw)
To: Arnt Karlsen; +Cc: netfilter
Le sam 13/09/2003 à 08:42, Arnt Karlsen a écrit :
> ..wrong snippet. ;-) Reread the thread, and you'll see both I
> and Cedric weren't to clear on that we meant to say, we _implied_
> things instead of actually _saying_ them
So, for the things to get clear, the whole script should be[1] :
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \
-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
A -m state --state NEW,ESTABLISHED,RELATED _should not_ be used, as it's
an quasi-generic full match (i.e. nearly matches all packets).
[1] Note I did a typo in my
<1063363533.879.52.camel@elendil.intranet.cartel-securite.net> post,
it's FORWARD, not INPUT...
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: FORWARD rules
2003-09-15 7:56 ` Cedric Blancher
@ 2003-09-15 16:32 ` Arnt Karlsen
2003-09-15 17:34 ` Cedric Blancher
0 siblings, 1 reply; 21+ messages in thread
From: Arnt Karlsen @ 2003-09-15 16:32 UTC (permalink / raw)
To: Cedric Blancher; +Cc: netfilter
On Mon, 15 Sep 2003 09:56:22 +0200,
Cedric Blancher <blancher@cartel-securite.fr> wrote in message
<1063612582.928.17.camel@elendil.intranet.cartel-securite.net>:
> Le sam 13/09/2003 à 08:42, Arnt Karlsen a écrit :
> > ..wrong snippet. ;-) Reread the thread, and you'll see both I
> > and Cedric weren't to clear on that we meant to say, we _implied_
> > things instead of actually _saying_ them
>
> So, for the things to get clear, the whole script should be[1] :
>
>
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P INPUT DROP
>
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
> -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \
> -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp
> \ -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp
> \ -m tcp --dport 110 -j ACCEPT
>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
>
> A -m state --state NEW,ESTABLISHED,RELATED _should not_ be used, as
> it's an quasi-generic full match (i.e. nearly matches all packets).
>
>
> [1] Note I did a typo in my
> <1063363533.879.52.camel@elendil.intranet.cartel-securite.net> post,
> it's FORWARD, not INPUT...
..me too, ;-) I ofcourse meant we "weren't too clear on what
we meant to say"... ;-)
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-15 16:32 ` Arnt Karlsen
@ 2003-09-15 17:34 ` Cedric Blancher
2003-09-16 4:28 ` Payal Rathod
0 siblings, 1 reply; 21+ messages in thread
From: Cedric Blancher @ 2003-09-15 17:34 UTC (permalink / raw)
To: Arnt Karlsen; +Cc: netfilter
Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> ..me too, ;-) I ofcourse meant we "weren't too clear on what
> we meant to say"... ;-)
We are now, that's the important point :)
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-15 17:34 ` Cedric Blancher
@ 2003-09-16 4:28 ` Payal Rathod
2003-09-16 23:31 ` Arnt Karlsen
0 siblings, 1 reply; 21+ messages in thread
From: Payal Rathod @ 2003-09-16 4:28 UTC (permalink / raw)
To: Cedric Blancher; +Cc: Arnt Karlsen, netfilter
On Mon, Sep 15, 2003 at 07:34:22PM +0200, Cedric Blancher wrote:
> Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> > ..me too, ;-) I ofcourse meant we "weren't too clear on what
> > we meant to say"... ;-)
>
> We are now, that's the important point :)
I am still confused. What you really meant and what you really said. Are
you losing your brains or am I :)
-Payal
> --
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>
--
For GNU/Linux Success Stories and Articles visit:
http://payal.staticky.com
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: FORWARD rules
2003-09-16 4:28 ` Payal Rathod
@ 2003-09-16 23:31 ` Arnt Karlsen
0 siblings, 0 replies; 21+ messages in thread
From: Arnt Karlsen @ 2003-09-16 23:31 UTC (permalink / raw)
To: netfilter
On Tue, 16 Sep 2003 04:28:23 +0000,
Payal Rathod <payal-iptables@staticky.com> wrote in message
<20030916042823.GC10468@staticky.com>:
> On Mon, Sep 15, 2003 at 07:34:22PM +0200, Cedric Blancher wrote:
> > Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> > > ..me too, ;-) I ofcourse meant we "weren't too clear on what
> > > we meant to say"... ;-)
> >
> > We are now, that's the important point :)
>
> I am still confused. What you really meant and what you really said.
> Are you losing your brains or am I :)
> -Payal
.. ;-) You wanna reread what Cedric wrote in his message
<1063612582.928.17.camel@elendil.intranet.cartel-securite.net>.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
2003-09-11 6:09 ` Vishwanatn T. K.
2003-09-12 10:09 ` Payal Rathod
@ 2003-09-12 10:35 ` Cedric Blancher
1 sibling, 0 replies; 21+ messages in thread
From: Cedric Blancher @ 2003-09-12 10:35 UTC (permalink / raw)
To: tkvishy; +Cc: Payal Rathod, netfilter
Le jeu 11/09/2003 à 08:09, Vishwanatn T. K. a écrit :
> You need to add NEW state in the above FORWARD rule for this to work.
> $IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
It will let is firewall wide open.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: FORWARD rules
@ 2003-09-16 4:28 Payal Rathod
0 siblings, 0 replies; 21+ messages in thread
From: Payal Rathod @ 2003-09-16 4:28 UTC (permalink / raw)
To: Cedric Blancher; +Cc: Arnt Karlsen, netfilter
On Mon, Sep 15, 2003 at 07:34:22PM +0200, Cedric Blancher wrote:
> Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> > ..me too, ;-) I ofcourse meant we "weren't too clear on what
> > we meant to say"... ;-)
>
> We are now, that's the important point :)
I am still confused. What you really meant and what you really said. Are
you losing your brains or am I :)
-Payal
> --
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>
--
For GNU/Linux Success Stories and Articles visit:
http://payal.staticky.com
\x01\x02Boundary_(ID_4A0cY3G8hOPMC+Afj5AwCA)
^ permalink raw reply [flat|nested] 21+ messages in thread* Forward rules
@ 2003-11-28 19:18 Alejandro Cabrera Obed
2003-11-28 20:03 ` Jeffrey Laramie
0 siblings, 1 reply; 21+ messages in thread
From: Alejandro Cabrera Obed @ 2003-11-28 19:18 UTC (permalink / raw)
To: Netfilter lista (iptables)
Hello !!!
I'm building my FORWARD table rules, and I want to implement this: "Drop all
FORWARD packets by default and then accept only packets coming from LAN
(192.168.0.0/24) with the related and established condition and leaving my
external interface ($INET_IFACE)".
Is the next ruleset according to what I want or can I change the order ???
$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -s 192.168.0.0/24 -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
I suppose with this implementation I'm discarding packet forwarding coming
from 127.0.0.0/24, 10.0.0.0/8 and 172.16.0.0/12 (because my default policy
is DROP by default)....is it OK ???
Thousands of thanks :)
Alejandro
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: Forward rules
2003-11-28 19:18 Forward rules Alejandro Cabrera Obed
@ 2003-11-28 20:03 ` Jeffrey Laramie
0 siblings, 0 replies; 21+ messages in thread
From: Jeffrey Laramie @ 2003-11-28 20:03 UTC (permalink / raw)
To: netfilter
On Friday 28 November 2003 14:18, Alejandro Cabrera Obed wrote:
> Hello !!!
>
Hi Alejandro
> I'm building my FORWARD table rules, and I want to implement this: "Drop
> all FORWARD packets by default and then accept only packets coming from LAN
> (192.168.0.0/24) with the related and established condition and leaving my
> external interface ($INET_IFACE)".
>
> Is the next ruleset according to what I want or can I change the order ???
>
> $IPTABLES -P FORWARD DROP
> $IPTABLES -A FORWARD -s 192.168.0.0/24 -o $INET_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I suppose with this implementation I'm discarding packet forwarding coming
> from 127.0.0.0/24, 10.0.0.0/8 and 172.16.0.0/12 (because my default policy
> is DROP by default)....is it OK ???
>
Your rules will work fine. A couple of hints:
1. Even though the -P FORWARD DROP comes first in the ruleset, it is the
default policy and it will always be the last rule checked.
2. Most of your traffic will be accepted by your ESTABLISHED,RELATED rule so
for maximum efficiency it should always be as close to the top of your chain
as possible (but after the default policy).
3. It is *slightly* better to use -i $LAN_IFACE instead of -o $INET_IFACE. It
doesn't matter when there are only 2 interfaces, but if you were to add
another interface in the future -i $LAN_IFACE will offer the same spoofing
protection to the new interface.
Jeff
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2003-11-28 20:03 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-10 17:52 FORWARD rules Payal Rathod
2003-09-10 18:44 ` Ramin Dousti
2003-09-11 2:15 ` netfilter
2003-09-10 18:47 ` Vladimir Potapov
2003-09-11 6:09 ` Vishwanatn T. K.
2003-09-12 10:09 ` Payal Rathod
2003-09-12 10:45 ` Cedric Blancher
2003-09-12 14:36 ` Arnt Karlsen
2003-09-12 14:51 ` Cedric Blancher
2003-09-12 18:14 ` Arnt Karlsen
2003-09-13 2:26 ` Payal Rathod
2003-09-13 6:42 ` Arnt Karlsen
2003-09-15 7:56 ` Cedric Blancher
2003-09-15 16:32 ` Arnt Karlsen
2003-09-15 17:34 ` Cedric Blancher
2003-09-16 4:28 ` Payal Rathod
2003-09-16 23:31 ` Arnt Karlsen
2003-09-12 10:35 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2003-09-16 4:28 Payal Rathod
2003-11-28 19:18 Forward rules Alejandro Cabrera Obed
2003-11-28 20:03 ` Jeffrey Laramie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.