iptables questions

From: uncle_seb (uncle_seb@hushmail.com)
Date: 01/04/02 

From: uncle_seb@hushmail.com (uncle_seb)
Date: 4 Jan 2002 05:48:30 -0800

Hello,

I'm transitionning from ipchains to iptables and everything has been
alright so far (though tedious), but I still have a couple of
unanswered questions. To my sense, there is a lack of readable/useful
documentation. My questions specifically concern masquerading
firewalls.

- Can I assume that '-m state --state ESTABLISHED' has no sense in the
FORWARD chain because if no connection has been established from my
LAN to the outside world, the packet will be handled by the INPUT
chain (considering its destination IP address is that of the outside
world interface and there is no such connection in the masquerading
table) ?

- How does UDP forwarding work? Is it protocol-driven? With INPUT and
FORWARD default policies set to DROP and unconditional LAN <-->
Internet FORWARD/MASQUERADE, DNS seems to work ok. Is this because
ipchains has knowledge of the DNS protocol and considers an outgoing
datagram to port 53 as a connection? If so, what protocols are
supported and how would I go about having other protocols recognised?

- My masqueraded Internet connection uses ADSL, i.e. the channel
between my outside world interface and my ISP is private. Does it make
sense to implement PREROUTING rules in the NAT table to refuse
non-routable IP addresses? I expect my ISP would not route packets
originating from such addresses and I thought about removing these
rules for performance reasons. What do you think?

- Last but not least: is it really impossible to combine a DROP and a
LOG target? The fact that you have to match the same pattern twice to
log and drop a packet because the LOG target does not stop chain
iteration does not make sense to me. I had to write a SORT chain to
sort between packets that should or should not be logged and I find it
really dumb.

Thanks for any suggestion !

uncle seb.

Relevant Pages

  • Re: Port "triggering"
    ... The reason you should specify the -d above is if you have two internal nets ... If you are connecting to some outside server your connection will never make ... Again, the rule you had takes every single packet going to port 3783, no ... At the end of each chain I do a: ...
    (comp.os.linux.security)
  • Re: Odd iptables blocking on port 25
    ... >>Chain OUTPUT ... >>OUTBOUND connection with SOURCE port 25 and a dynamic destination port? ... > The packet you are seeing is a SYN ACK packet, ie. a response to a new ...
    (comp.os.linux.security)
  • Re: iptables questions
    ... > FORWARD chain because if no connection has been established from my LAN ... Is this because ipchains has ... packet from nameserver:53 to gatewaybox:highport is recognised as being ...
    (comp.os.linux.security)
  • Re: peer to peer messaging
    ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ...
    (comp.lang.java.programmer)
  • [NEWS] Downgrading the Oracle Native Authentication
    ... Get your security news from a reliable source. ... Oracle native authentication protocols are typical challenge-response ... After some negotiation the client sends the username. ... calls it packet version ...
    (Securiteam)