Re: conntrack and application-triggered port forwarding

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martijn Lievaart <m@rtij.nl>
To: marian stagarescu <marian@ti.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: conntrack and application-triggered port forwarding
Date: Wed, 09 Apr 2003 13:21:30 +0200	[thread overview]
Message-ID: <3E94023A.8080701@rtij.nl> (raw)
In-Reply-To: <1049846579.16856.157.camel@gt4rvnd11.telogy.design.ti.com>

marian stagarescu wrote:

>i may be missing something elementary about conntrack & nat & firewall
>so please let me know if the following feature is supported in linux
>because i don't quite see it:
>
>outside the scope of specialized ALGs (e.g. ftp, h323,...) i want 
>to be able to specify that an outbound tcp/udp connection to dstport x
>will require that related traffic be allowed inbound on port y.
>
>that is to say, for a gateway:
>
>NET---| NAT/Conntrack/Firewall |---(private LAN)
>
>_IF_AND_ONLY_IF_ traffic goes from LAN on tcp/dstport X open
>forward chain to allow related udp/dstport Y to go back on LAN.
>(i have a drop policy on forward chain for traffic with input interface
>facing NET).
>
>in this example the tcp traffic will be playing the role of the control
>channel and the udp the data channel but since I know that it operates
>on predefined ports (or port ranges) i don't have to snoop into the
>control channel and get the data channel port.
>
>this will be some "generic" ALG mechanism so that for applications that
>are operating on known ports (or port ranges) i can use it without an
>ALG implementation proper.
>
>I can use static rules that will open udp/dstport Y but forward path
>will be open on this rule (proto/port) regardless of the presence of
>outbound tcp/dstport x traffic. so opening the firewall is not triggered
>by an application.
>
>
>Not being too familiar with the internals and api  of conntrack i
>wonder: is such a task easy (example pointers ?)? 
>  
>

The recent match should be able to do this.
1. Create a rule that matches the control channel and add the packet to 
a recent-table.
2. Match on the udp reverse packets. and on the reversed source/dest in 
the recent table. If match, accept.

Martijn

next prev parent reply	other threads:[~2003-04-09 11:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-04-09  0:02 conntrack and application-triggered port forwarding marian stagarescu
2003-04-09 11:21 ` Martijn Lievaart [this message]
2003-04-09 12:52   ` marian stagarescu
2003-04-09 15:20     ` Martijn Lievaart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3E94023A.8080701@rtij.nl \
    --to=m@rtij.nl \
    --cc=marian@ti.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.