Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Patrick Marquetecken <patrick.marquetecken@×××××××.be>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPtables statefull connection capable
Date: Wed, 06 Jul 2005 07:11:51
Message-Id: 17908.212.190.229.68.1120633637.squirrel@rivendell.arda.org
1 > Hi,
2 >
3 > On Tue, 5 Jul 2005 15:52:20 +0200 (CEST)
4 > "Patrick Marquetecken" <patrick.marquetecken@×××××××.be> wrote:
5 >
6 >> If I’m correct then iptables is statefull connection capable, this means
7 >> I
8 >> should not use rules like:
9 >> If state of connection is ESTABLISHED ...
10 >> If state of connection is RELATED ...
11 >>
12 >> and i my use only:
13 >> If protocol is TCP and source is bla bla and destination port is bla bla
14 >> and state of connection is NEW
15 >
16 > All of the mentioned rules are related to stateful connection matching.
17 > You probably want all ESTABLISHED and RELATED traffic in both the
18 > incoming and outgoing direction, and NEW connections only outgoing.
19 > Additional you'll probably want NEW connections also in the incoming
20 > direction for the services you want to offer - that's how I interpret
21 > your last sentence. But you'll definately want ESTABLISHED and RELATED,
22 > too.
23 >
24 > Concept usually is:
25 > INPUT:
26 > - allow ESTABLISHED,RELATED
27 > - allow NEW for selected services
28 > FORWARD:
29 > - allow NEW,ESTABLISHED,RELATED from LAN to WAN
30 > - allow ESTABLISHED,RELATED from WAN to LAN
31 > OUTPUT:
32 > - allow NEW,ESTABLISHED,RELATED
33 >
34 > where OUTPUT rules are optional if OUTPUT's policy is set to ACCEPT.
35 >
36 > Current connections being monitored are listed and accessible in procfs.
37 > When playing with Linux as a router for UDP traffic, you may want to
38 > play with the state matching related sysctl's (also accessible via
39 > procfs) to adjust the timespan that the information is held. My VPN
40 > connections from LAN to WAN tend to time out otherwise. But that's just
41 > a side note.
42 >
43 > -hwh
44 >
45 > --
46 Thank you all,
47 The explanation was very clear, I tough because its statefull it’s not
48 necessary to add the ESTABLISHED,RELATED stuff.
49 I was using a setup like you say above.
50
51
52 Patrick
53
54
55 --
56 This is Unix-Land. In quiet nights, you can hear the Windows machines reboot.
57 --
58 gentoo-user@g.o mailing list
Report Message
Find on MARC Find on Google Groups