[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: FreeBSD and Linux.

To: <shef-lug [at] xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Sheflug] Re: FreeBSD and Linux.
From: "Chris J/#6" <xxxxx [at] xxxxxxxxxxxx>
Date: Fri, 5 Oct 2001 10:03:30 +0100 (BST)
Envelope-To: <shef-lug [at] list.sheflug.org.uk>
List-Help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-Id: Sheflug <shef-lug.list.sheflug.org.uk>
List-Post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-Subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-Unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

>    Chris> pass in log quick on ep0 proto tcp from any to any port =
>    Chris> 22 flags S keep state
>
> Guessing - allow TCP connections/data from anywhere (coming in on a 3Com
> ethernet interface) to port 22:
>
> iptables -A FORWARD -i eth0 -p TCP -s 0.0.0.0/0 --dport 22 -j ACCEPT
>
> should work. What "keep state" means under BSD I dunno - but there are
> options for iptables for stateful tracking:
>
> iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j
> ACCEPT
> iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
>

Yep, "keep state" is state tracking. The "keep state" also works for UDP and
ICMP as well, even though they're both connectionless, it does a psuedo-
tracking with short timeouts (30 seconds) before it deletes the state
tracking.

> allows new connections and packets related to existing connections from
> eth0, but drops new connections or invalid packets coming in from ppp0
> from being passed through the box.

What is defined as an invalid packet though? (no I can't be asked to go and
look :-) ).

>
> Packets destined for the box are on the INPUT rule.
>
> Logging is another target:
>
> iptables [conditions] -j LOG
>

Now that I didn't understand when I saw it first time. Being able to say:

"pass in log quick on ..."  seems to make much more sense than increasing the
ruleset by having to add yet more rules for logging. Yes, this could end up
logging every packet, but if I add the "log" keyword to the complete rule I
added above, it will only log the first incoming packet (ie, the first SYN)
before the "keep state" part tracks the rest of the connection.

Another quick question as I've not looked. How does iptables manage NAT?
OpenBSD can map a network to a single IP and a range of ports (user
definable), or to a range of IP's, or even just map an entire subnet to
another subnet. For connections coming into a network via the NAT host, it
can also redirect them to hosts and ports in various ways. I know ipchains
had connection mapping with ipchains marks and various modules, but I don't
know how iptables does it.

Chris...

-- 
\ Chris Johnson           \  "If not for me then, do it for yourself. If not
 \ cej [at] nccnet.co.uk        \  for then do it for the world." -- Stevie Nicks
  \ www.nccnet.co.uk/~cej/  ~-----------------------------------------+
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____



___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- Re: [Sheflug] Re: FreeBSD and Linux.
  - From: Barrie Bremner

Prev by Date: Re: [Sheflug] XFree4 config on Woody
Next by Date: Re: [Sheflug] aargh, disk crash
Prev by thread: Re: [Sheflug] Re: FreeBSD and Linux.
Next by thread: Re: [Sheflug] FreeBSD and Linux.
Index(es):
- Date
- Thread