* netfilter newbie questions
@ 2004-04-16 8:45 matthieu imbert
2004-04-16 13:03 ` Connection Tracking Limits rrecaba
0 siblings, 1 reply; 3+ messages in thread
From: matthieu imbert @ 2004-04-16 8:45 UTC (permalink / raw)
To: netfilter
hi
i have three questions about iptables:
1/
i read the packet-filtering howto (http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html)
the first example uses the ip_conntrack module, which allows the state match rule, as in the following rules :
iptables -A block -m state --state NEW -j REJECT
on the other hand, my red hat 9 was automatically configured by lokkit with something that looks similar but without using ip_conntrack:
iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
what are the exact differences between these two ways of doing the same thing ? (Is it related to the way fragments are handled ?)
2/
about fragments (see http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html)
in the paragraph "specifying fragments", it says:
"If you are doing connection tracking or NAT, then all fragments will get merged back together before they reach the packet filtering code, so you need never worry about fragments."
but 5 lines below, it also says that we can only filter the first fragment, because further fragments don't have their tcp header.
so, are fragments merged or not ? Does it mean that by default, fragments are not merged but that as soon as we use nat or ip_conntrack they are merged ? This is what i understand but i just want a confirmation..
3/
i'm new to linux so this one may seem trivial, but let's ask it:
how are netfilter routing and other kernel routing related ?
i mean:
there is a /sbin/route command that lists a routing table, and we can also modify this table.
but there is also some routing in iptables, as far as i understand.
also, browsing through some howtos i saw mentions of a iproute2 command
All of this is very confusing to me, so what is the architecture of all this ? i already read "The journey of a packet through the linux 2.4 network stack" by harald welte but it did not help clarifying the overall scheme
thanks in advance
^ permalink raw reply [flat|nested] 3+ messages in thread
* Connection Tracking Limits.
2004-04-16 8:45 netfilter newbie questions matthieu imbert
@ 2004-04-16 13:03 ` rrecaba
2004-04-16 14:48 ` Active FTP and NATting: troubles giovanni costagliola
0 siblings, 1 reply; 3+ messages in thread
From: rrecaba @ 2004-04-16 13:03 UTC (permalink / raw)
To: netfilter
Hello List,
I was wondering if anyone has had experience on pushing the max
connections limit of the connection tracking module above its default.
I mean, what exactly could I expect to happen if I
echo 32752 > /proc/sys/net/ipv4/ip_conntrack_max
on a 256 Mb machine ? (whose default max limit is 16376)
Does it actually track more connections unreliably or some other? or does
it just ignore the oversized value?
Many thanks in advance,
Ruben.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Active FTP and NATting: troubles
2004-04-16 13:03 ` Connection Tracking Limits rrecaba
@ 2004-04-16 14:48 ` giovanni costagliola
0 siblings, 0 replies; 3+ messages in thread
From: giovanni costagliola @ 2004-04-16 14:48 UTC (permalink / raw)
To: netfilter
hallo all,
I'm implementing a firewall which, moreover, NATs all the incoming connections to internal private addresses. I'm experiencing some
problems configuring active FTP and, honestly, I cannot figure out what's going wrong. I'm coming to get your help.
Scenarios:
Internet <-> FW <-> DMZ
I'm natting all public addresses to private ones.
Let's suppose my server has the public ip IP_PUBLIC and the private ip IP_PRIVATE.
I've loaded the following kernel modules:
ip_conntrack
ip_conntrack_ftp
ip_nat_ftp
I stated, initially, the following statement
iptables -t nat -A PREROUTING -d IP_PUBLIC -j DNAT --to-destination IP_PRIVATE
after some test I've added the following statement too:
iptables -t nat -A POSTROUTING -s IP_PRIVATE -j DNAT --to-source IP_PUBLIC
to allow natting of FTP server incoming connections to the clients.
Q1. Am I right argumented such I did? Or the 2nd statement is pleonastic?
I see that, adding the second rule, some matching occurr.
then I enabled the traffic issuing the following four statements:
iptables -A CHAIN_INBOUND -d IP_PRIVATE -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
iptables -A CHAIN_OUTBOUND -s IP_PRIVATE -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A CHAIN_INBOUND -d IP_PRIVATE -p icmp -m state --state RELATED -j ACCEPT
iptables -A CHAIN_OUTBOUND -s IP_PRIVATE -p icmp -m state --state RELATED -j ACCEPT
Q2. The last two rules should allow icmp traffic "related" to the ftp connection. Are they legal? In the sense that iptables can
handle them appropriately recognizing the fact they are related to the FTP transfer?
looking at iptables statistics, while attempt to connect via active ftp to the host, I don't see any matching of the rules
concerning ftp-data channell
Q3. where I'm wronging?
thanx for your time
*g
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-04-16 14:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-16 8:45 netfilter newbie questions matthieu imbert
2004-04-16 13:03 ` Connection Tracking Limits rrecaba
2004-04-16 14:48 ` Active FTP and NATting: troubles giovanni costagliola
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox