* Connection states information tables
@ 2004-09-21 18:55 Lorenzo Rossi
2004-09-21 19:10 ` Aleksandar Milivojevic
0 siblings, 1 reply; 3+ messages in thread
From: Lorenzo Rossi @ 2004-09-21 18:55 UTC (permalink / raw)
To: netfilter
Hi,
i have a question concerning the tables where are maintained the
informations about the connections state.
I configured my firewall script with the following lines, to permit
the SSH traffic originated from the protected zone to go to Internet.
iptables -A TCP_IN -i $INTERFACE -p tcp --sport 22 -m state --state
ESTABLISHED -J ACCEPT
iptables -A TCP_OUT -o $INTERFACE -p tcp --dport 22 -m state
--state NEW,ESTABLISHED -j ACCEPT
The custom chain TCP_IN is listed in the default INPUT chain.
The custom chain TCP_OUT is listed in the dafault OUTPUT chain.
The dafault policy for the INPUT and OUTPUT chains, as you can
imagine, is to DROP.
My question is:
How many state tables are used? one table for each main chain?
One for INPUT and one for OUTPUT?
I'm a bit confused..... :)
Thanks
Lorenzo
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Connection states information tables
@ 2004-09-21 19:00 Daniel Chemko
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Chemko @ 2004-09-21 19:00 UTC (permalink / raw)
To: condor_rl, netfilter
> My question is:
> How many state tables are used? one table for each main chain?
> One for INPUT and one for OUTPUT?
The STATE is maintained by the ip_conntrack module. It uses one big list
to maintain the current state of all active sessions through the system.
Run cat /proc/net/ip_conntrack to see the human readable version of this
list.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Connection states information tables
2004-09-21 18:55 Connection states information tables Lorenzo Rossi
@ 2004-09-21 19:10 ` Aleksandar Milivojevic
0 siblings, 0 replies; 3+ messages in thread
From: Aleksandar Milivojevic @ 2004-09-21 19:10 UTC (permalink / raw)
To: condor_rl; +Cc: netfilter
Lorenzo Rossi wrote:
> My question is:
> How many state tables are used? one table for each main chain?
> One for INPUT and one for OUTPUT?
Only one table is used, regardless of how many tables and/or chains you
have. Everything goes into that one table. Having separate tables, one
for each chain, wouldn't be of much use (than you couldn't match
incoming and outgoing packets of single connection, unless you traverse
all those tables which is just the same as having one table).
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-09-21 19:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-21 18:55 Connection states information tables Lorenzo Rossi
2004-09-21 19:10 ` Aleksandar Milivojevic
-- strict thread matches above, loose matches on Subject: below --
2004-09-21 19:00 Daniel Chemko
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.