Quick help with NOTRACK rule

All of lore.kernel.org
 help / color / mirror / Atom feed

* Quick help with NOTRACK rule
@ 2013-08-13 22:57 Alex Flex
  2013-08-14  7:57 ` Pascal Hambourg
  0 siblings, 1 reply; 2+ messages in thread
From: Alex Flex @ 2013-08-13 22:57 UTC (permalink / raw)
  To: netfilter

Hello all,

I have a simple ruleset (for testing purposes) iam trying to exclude 
only the SSH service in being tracked at conntrack. I have not been able 
to achieve this.. iam obviously missing something?


#!/bin/bash

#### CLEANUP
/sbin/iptables -P OUTPUT ACCEPT;
/sbin/iptables -P INPUT DROP;
/sbin/iptables -P FORWARD ACCEPT;
/sbin/iptables -F;
/sbin/iptables -X;
### CLEANUP

# DEFAULT POLICIES
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# LOOP BACK ALLOWED
/sbin/iptables -A INPUT  -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#KEEP STATE BOTH INPUT / OUTPUT (STATEFULL FIREWALL)
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j 
ACCEPT

iptables -t raw -A OUTPUT -p tcp --sport 22 -j NOTRACK

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 5666 -j ACCEPT


After applying the above, and reconnecting via ssh to the machine i 
still see this in the table:

ipv4     2 tcp      6 185 ESTABLISHED src=221.199.62.74 
dst=26.38.165.111 sport=1063 dport=22 src=26.38.165.111 
dst=221.199.62.74 sport=22 dport=1063 [ASSURED] mark=0 secmark=0 use=2


I also tried adding one more rule iptables -t raw -A INPUT -p tcp 
--sport 22 -j NOTRACK  but i get
iptables: No chain/target/match by that name.


Thanks
Alex



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Quick help with NOTRACK rule
  2013-08-13 22:57 Quick help with NOTRACK rule Alex Flex
@ 2013-08-14  7:57 ` Pascal Hambourg
  0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2013-08-14  7:57 UTC (permalink / raw)
  To: netfilter

Hello,

Alex Flex a écrit :
> 
> I also tried adding one more rule iptables -t raw -A INPUT -p tcp 
> --sport 22 -j NOTRACK  but i get
> iptables: No chain/target/match by that name.

Please read the iptables man page about the raw table :

            It  provides  the following built-in chains: PREROUTING (for
            packets arriving via  any  network  interface)  OUTPUT  (for
            packets generated by local processes)

Also, you want to match incoming packets with destination port 22, not
source. So :

iptables -t raw -A PREROUTING -p tcp --dport 22 -j NOTRACK

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-08-14  7:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-13 22:57 Quick help with NOTRACK rule Alex Flex
2013-08-14  7:57 ` Pascal Hambourg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.